When the malware known both as Triton and Trisis came to light in late 2017, it quickly gained a reputation as perhaps the world’s most dangerous piece of code: the first ever designed to disable the safety systems that protect industrial facilities from potentially lethal physical accidents. But Triton hackers still have to engage in a far more common forms of hacking to plant that code, in some cases spending close to a year digging their way through IT networks before they reach their targets. They’ve used a distinct toolkit of custom-made malware to do so—and bringing it to light might now help stop other active intrusions before it’s too late.
At the Kaspersky Security Analyst Summit in Singapore Wednesday, researchers at the security firm FireEye plan to present some of the lessons they’ve learned in following the footprints of the Triton hackers, known sometimes as TEMP.Veles or Xenotime. Two customers hired FireEye to investigate intrusions on their networks—the Petro Rabigh oil refinery temporarily shut down by Triton in Saudi Arabia in 2017, and another anonymous, previously undisclosed victim whose breach FireEye investigated just this year.
In those investigations, FireEye says it’s identified a collection of custom malicious software that the Triton hackers used, tools that allowed the hackers to patiently advance their intrusion as they worked to gain access to the victims’ industrial control systems.
In contrast to Triton—one of a few vanishingly rare pieces of malware that directly targets industrial control systems—the newly named tools are essentially custom-written versions of common programs hackers use to work through traditional IT networks. But FireEye director of intelligence analysis John Hultquist says that detailing the Triton hackers’ custom toolkit might help other potential targets protect themselves. “We’ve only found them twice, and we think there’s more out there,” says Hultquist.
The stakes are high. The hackers behind Triton have already dared once to inflict potentially serious damage in a facility, attacking Triconex safety-instrumented systems at the Petro Rabigh refinery that could have potentially led to a lethal, catastrophic, accident. It fortunately only triggered a shutdown of the plant. But any ongoing Triton attack could have similarly weighty consequences. “We’re providing our methodology to the world so they can look for this actor, whom we’re taking very seriously,” Hultquist says.
The list of tools FireEye has identified includes a program called SecHack, designed to pull a target user’s passwords and other credentials out of a computer’s memory so that they can be repeatedly reused to log into any machine on the network the victim has access to. It essentially recreates the functionality of an open-source, ultra-common tool known as Mimikatz, which was created in 2011 and designed to similarly suck passwords out of a computer’s RAM. Another custom tool FireEye found the Triton hackers using is called NetExec, which mimics the functionality of PSExec, a Windows utility that lets administrators run commands on remote computers across a network.
Hackers frequently use PSExec together with credentials stolen by Mimikatz. The Triton hackers similarly combine their custom SecHack and NetExec tools, using them to hopscotch from machine to machine within a network.
“We’ve only found them twice, and we think there’s more out there.”
John Hultquist, FireEye
Why write their own custom versions of publicly accessible commodity tools? FireEye security researcher Steven Miller says the Triton hackers may have created their own custom software to evade security technologies that can spot the use of Mimikatz and PSExec. That may allow them to hide longer in a victim’s network; in both cases FireEye analyzed, the hackers’ intrusions persisted for months before they even attempted to drop their Triton payload. But that decision now gives anyone who spots those unique tools on their network a strong clue that they’re being targeted by a very dangerous hacker group with a history of physical sabotage. “There’s a tradeoff in the risks they take,” says Miller.
Another handful of tools FireEye is naming in its talk allow the hackers to maintain command-and-control communications with compromised machines via a grab bag of backdoors. Each of those backdoors is based on a different remote command tool: Cryptcat, PLINK, Bitvise and OpenSSH. “They’re introducing a bit of variety,” Miller speculates.”That may help them maintain access, especially in the face of detection or incident response.”
In addition to those custom tools, FireEye has also detailed a more comprehensive collection of other techniques the Triton hackers used, listed in this blog post.
Sirens of Triton
Merely searching their network for those custom tools and techniques shouldn’t give anyone a false sense of confidence, warns Dave Weinstein, vice president of threat research at industrial control system security firm Claroty. The presence of the tools FireEye named may be revealing, but the absence of them doesn’t mean much, given that the Triton hackers likely change their tooling over time, and will likely do so again after FireEye’s revelations. But he says FireEye’s work could nonetheless help identify some ongoing operations. “If there were any active intrusions, those operations could be compromised, and that’s huge,” Weinstein says.
Even as FireEye details how the hackers have moved through some target networks, exactly how they gain initial access to those networks remains more mysterious. FireEye declined to comment on that first step. But Joe Slowik, a researcher at the industrial control system security firm Dragos, hints that the hackers seem to be bruteforcing their way in, running through potential passwords to unspecified, externally accessible parts of a network. “It looks more like guessing than using a list” of usernames and passwords, Slowik says.
“We fully anticipate this entity to be active for the foreseeable future.”
Joe Slowik, Dragos
The two targets whose breaches FireEye analyzed are far from the only potential victims for the Triton hackers. Dragos reported last year that the same hackers have probed oil and gas targets in North America and Europe. And news outlet Cyberscoop reported at the time that multiple company within the US have been breached by the group. Slowik says the company has seen signs that the Triton hackers may be seeking to penetrate industrial control system technology companies, perhaps in an effort to infect industrial firms’ technology supply chain, or more likely in order to perform reconnaissance to find more vulnerabilities to exploit in future industrial control system-targeted intrusions.
“We fully anticipate this entity to be active for the foreseeable future,” Slowik says. He notes that Dragos hasn’t itself seen in victim networks any of the custom “calling cards” of the Triton hackers of the kind FireEye described, but also declined to comment on whether Dragos has directly performed incident response for any victims.
FireEye’s Hultquist admits it’s likely the Triton hackers will change up their hacking habits following FireEye’s reporting on them—if they haven’t already. “They may have already changed somewhat, and we’re going to have to reckon with what they look like now,” Hultquist says.
But the chance to head off ongoing intrusions—where serious physical sabotage remains a risk—makes it worth showing their cards, Hultquist says. “That’s part of why we’re being so forthright with this information. We want others to keep an eye on this as well,” he says. “That, and the sheer danger posed by this actor.”