Triton (2017)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date The incident was disclosed by the cybersecurity company FireEye on 14 December 2017.[1] However, the actual date and location of the attack remains unknown.[1]
Suspected actor There is uncertainty about the precise identity of the attacker.[1] According to FireEye, the attack was supported by a Moscow-based technical research institution known as the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is owned by the Russian government.[2]
Target The identity of the targeted facility or facilities and their location have not been disclosed.[3] However, the incident is suspected to have taken place at a critical infrastructure facility in the Middle East.[3]
Targeted System Industrial Control Systems (ICS); specifically, the safety system controlling the emergency shutdown of unspecified industrial processes.[1]
Method ICS disruptive attack; malicious targeting of the Triconex Safety Instrumented System (SIS) controllers via the TriStation protocol through a malware framework known as TRITON.[4] The TRITON attack was deployed to reprogram the SIS controller, after gaining remote access to an SIS workstation aiming at preventing the safety mechanisms to function properly.[1] The intended aim of the attack was to cause a physical damage.[1]
Purpose By the deployment of the TRITON malware, the attacker seems to have aimed at causing physical damage to the critical infrastructure.[1] However, FireEye also suspects that the attacker may have had a long-term objective of developing the capability of causing physical damage to critical infrastructure.[1]
Result The attack did not achieve the intended outcome of causing physical damage, however, it caused a temporary disruption of the industrial processes and the operation of a critical infrastructure facility.[1] The deployment of the attack accidentally triggered an unintended automatic shutdown of the industrial processes, alerting the facility owners and triggering an investigation that has ultimately resulted in the unveiling of the attack.[1]
Aftermath Before TRITON there had been few significant incidents, such as Stuxnet, where the deployed malware targeted the industrial control systems (ICS) with the aim of causing physical destruction. However, TRITON was the first attack to target SIS devices.[5] This attack revealed another vulnerability within the safety systems of critical infrastructure facilities that could be exploited, and triggered a significant amount of analysis and research aimed at developing solutions to cover such vulnerability.[6]
Analysed in Scenario 03: Cyber operation against the power grid

Scenario 10: Cyber weapons review

Collected by: Alan Haji

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 Blake Johnson et al., ‘Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure’ (14 December 2017), accessed 27 February 2020.
  2. FireEye Intelligence, ‘TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers’ (23 October 2018), accessed 27 February 2020.
  3. 3.0 3.1 Jim Finkle, ‘Hackers halt plant operations in watershed cyber attack’ Reuters (14 December 2017) accessed 27 February 2020.
  4. For a more detailed account on the implementation and the execution of the attack see, e.g., Steve Miller and Evan Reese, ‘A Totally Tubular Treatise on TRITON and TriStation’ (7 June 2018), accessed 27 February 2020.
  5. Samuel Gibbs, ‘Triton: Hackers Take Out Safety Systems in “Watershed” Attack on Energy Plant’ The Guardian (15 December 2017), accessed 27 February 2020.
  6. See, e.g., Steve Miller et al., ‘TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping’ (10 April 2019), accessed 5 March 2020; Andrea Carcano, ‘Black Hat: Understanding TRITON, The First SIS Cyber Attack’ (8 August 2018) accessed 5 March 2020; Thomas Roccia, ‘Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems’ (8 November 2018), accessed 5 March 2020.