As many are aware, TRITON/TRISIS is back in the news. Another critical infrastructure organization was infiltrated with the same penetration framework used in the original attack documented in late 2017. In this most recent case, the framework was found on the IT network and had yet to reach the OT network. The attackers were conducting reconnaissance and were working to penetrate deeper with the goal of reaching the engineering stations used to configure the safety systems. The malware targets Schneider Electric Triconex safety controllers which are used to safeguard against industrial accidents.
PAS has updated our TRITON/TRISIS Fact Sheet with information about this latest event to help those with Triconex safety controllers understand what TRITON/TRISIS is and how they should respond.
Review the latest version of this document »
In the most recent report from FireEye, the bad actor’s sophistication is apparent. They avoid activities common with espionage, such as browsing files or grabbing large amounts of data. Instead, attack tools are designed to maintain a presence in the system over time. This is in keeping with intruder tactics to learn as much about the target’s industrial processes while continuing to develop tools to prepare for an attack down the road.
In the previously discovered attack from 2017, the actor was present for nearly a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Once they gained access, they seemed to stay focused on maintaining access by limiting activities while trying to deploy TRITON to the OT network. PAS CEO and founder, Eddie Habibi, weighed in on why a bad actor would target the SIS in Security Week and Power Magazine articles.
In a recent Dark Reading article, I discuss how attackers have moved away from spreading malware to cause widespread havoc across multiple systems with no specific target in mind. Now, they are attempting to gain detailed technical knowledge on industrial control systems to target specific industries, countries, and companies. This new focus increases the chance that they can cause physical damage at an industrial facility, which can lead to equipment damage, environmental incidents, and loss of life.
These efforts not only show the sophistication of such attacks but should also raise awareness among those working within the OT space to remain ever vigilant.