Full Report
The TRITON attack demonstrates an important property of attacks on industrial enterprises: they may show no signs of malicious computer activity.
Analysis Summary
# Incident Report: TRITON Malware Attack on Industrial Systems
## Executive Summary
The TRITON (or TRISIS) incident involved the deployment of advanced, industrial-process-aware malware designed to interact with Schneider Electric’s Triconex Safety Instrumented System (SIS). The attackers gained remote access to an ICS workstation and attempted to reprogram safety controllers, which resulted in an automatic plant shutdown. This incident is significant because it targeted the "last line of defense" intended to prevent catastrophic physical events.
## Incident Details
- **Discovery Date:** August 2017
- **Incident Date:** Mid-to-late 2017 (Multi-stage campaign)
- **Affected Organization:** Not officially disclosed (widely reported as Petro Rabigh)
- **Sector:** Oil & Gas
- **Geography:** Saudi Arabia
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown specifics; months prior to discovery.
- **Vector:** Likely through a compromised remote access solution or spear-phishing into the corporate (IT) network.
- **Details:** Attackers breached the IT network and successfully pivoted through the DMZ into the Industrial Control Systems (ICS) environment.
### Lateral Movement
- Attackers moved from the IT network to the OT (Operational Technology) network using stolen credentials and established a footprint on a SIS engineering workstation.
### Data Exfiltration/Impact
- **Reprogramming:** The attackers used the TRITON framework to interact with Triconex SIS controllers.
- **Malfunction:** During an attempt to modify the controller logic, a bug in the attack code or a failed check caused the SIS controllers to enter a failed state, triggering a safe shutdown of the industrial process.
### Detection & Response
- **Detection:** The incident was discovered after the plant experienced an unexpected shutdown that could not be explained by mechanical failure.
- **Response:** Forensic investigators (FireEye/Mandiant and Schneider Electric) were called in to analyze the SIS controllers and the engineering workstation, discovering the malicious `Trident` files.
## Attack Methodology
- **Initial Access:** RDP/VPN via compromised corporate credentials.
- **Persistence:** Custom backdoors and Mimikatz for credential harvesting.
- **Privilege Escalation:** Exploitation of Windows vulnerabilities and administrative credential theft.
- **Defense Evasion:** Malware was disguised as legitimate Schneider Electric software (e.g., `trilog.exe`) and resided in memory.
- **Credential Access:** Mimikatz and other memory-scraping tools.
- **Discovery:** Scanning the network for PowerPC-based devices using the TriStation protocol (UDP/1502).
- **Lateral Movement:** Standard IT tools (RDP, PsExec) and the proprietary TriStation protocol for OT movement.
- **Collection:** Gathering technical manuals and configuration files for the safety system.
- **Exfiltration:** N/A (Focus was on sabotage, not data theft).
- **Impact:** Direct manipulation of Safety Instrumented Systems (SIS) logic via the TRITON framework.
## Impact Assessment
- **Financial:** Significant losses due to unplanned production downtime during the shutdown and subsequent investigation.
- **Data Breach:** Compromise of sensitive industrial network topology and safety configurations.
- **Operational:** Physical plant shutdown; potential risk to life and environment had the safety systems been successfully disabled.
- **Reputational:** High-profile global reporting on the vulnerability of critical infrastructure.
## Indicators of Compromise
- **Network:** Communication over UDP port 1502 (TriStation protocol) from unauthorized hosts.
- **File:** `library.zip`, `trilog.exe` (Defanged: `trilog[.]exe`), `script.py`.
- **Behavioral:** Unexpected transitions of SIS controllers to "Program Mode"; presence of compiled Python scripts on engineering workstations.
## Response Actions
- **Containment:** Isolation of the affected ICS subnet and engineering workstations.
- **Eradication:** Re-imaging of infected workstations; firmware integrity checks on SIS controllers.
- **Recovery:** Restoration of process operations after validating that SIS logic had not been secretly altered to a dangerous state.
## Lessons Learned
- **OT/IT Separation:** The air-gap or DMZ between IT and OT was insufficient or improperly configured.
- **Safety is Security:** Safety systems are no longer "immune" to cyberattacks; they are primary targets for high-end threat actors.
- **Silent Activity:** As noted by Kaspersky, the attack showed no "malicious" signs to traditional IT monitors because it utilized legitimate industrial protocols.
## Recommendations
- **Physical Keyswitch Management:** Ensure SIS controllers are kept in "RUN" mode and physical keys are removed so logic cannot be changed remotely.
- **Network Segmentation:** Implement strict unidirectional gateways or robust firewalls between IT/OT and specifically between the DCS and SIS layers.
- **Endpoint Monitoring:** Deploy specialized ICS monitoring solutions capable of detecting changes to PLC/SIS logic and unauthorized uses of proprietary protocols.