Triton (2017): Difference between revisions
Jump to navigation
Jump to search
Content added Content deleted
(Created page with "{| class="wikitable" ! scope="row"|Date |The incident was disclosed by the cybersecurity company FireEye on 14 December 2017. <ref name="Triton1">Blake Johnson et al., ‘[htt...") |
mNo edit summary |
||
| Line 1: | Line 1: | ||
{| class="wikitable" |
{| class="wikitable" |
||
! scope="row"|Date |
! scope="row"|Date |
||
|The incident was disclosed by the cybersecurity company FireEye on 14 December 2017. |
|The incident was disclosed by the cybersecurity company FireEye on 14 December 2017.<ref name="Triton1">Blake Johnson et al., [https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html ‘Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure’] (14 December 2017), accessed 27 February 2020.</ref> However, the actual date and location of the attack remains unknown.<ref name="Triton1" /> |
||
|- |
|- |
||
! scope="row"|Suspected actor |
! scope="row"|Suspected actor |
||
|There is uncertainty about the precise identity of the attacker.<ref name="Triton1" /> According to FireEye, the attack was supported by a Moscow-based technical research institution known as the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is owned by the Russian government.<ref>FireEye Intelligence, |
|There is uncertainty about the precise identity of the attacker.<ref name="Triton1" /> According to FireEye, the attack was supported by a Moscow-based technical research institution known as the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is owned by the Russian government.<ref>FireEye Intelligence, [https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ‘TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers’] (23 October 2018), accessed 27 February 2020.</ref> |
||
|- |
|- |
||
! scope="row"|Target |
! scope="row"|Target |
||
|The identity of the targeted facility or facilities and their location have not been disclosed.<ref name="Triton2">Jim Finkle, |
|The identity of the targeted facility or facilities and their location have not been disclosed.<ref name="Triton2">Jim Finkle, [https://www.reuters.com/article/us-cyber-infrastructure-attack/hackers-halt-plant-operations-in-watershed-cyber-attack-idUSKBN1E8271 ‘Hackers halt plant operations in watershed cyber attack’] Reuters (14 December 2017) accessed 27 February 2020.</ref> However, the incident is suspected to have taken place at a critical infrastructure facility in the Middle East.<ref name="Triton2" /> |
||
|- |
|- |
||
! scope="row"|Targeted System |
! scope="row"|Targeted System |
||
| Line 13: | Line 13: | ||
|- |
|- |
||
! scope="row"|Method |
! scope="row"|Method |
||
|ICS disruptive attack; malicious targeting of the Triconex Safety Instrumented System (SIS) controllers via the TriStation protocol through a malware framework known as TRITON.<ref>For a more detailed account on the implementation and the execution of the attack see, e.g., Steve Miller and Evan Reese, |
|ICS disruptive attack; malicious targeting of the Triconex Safety Instrumented System (SIS) controllers via the TriStation protocol through a malware framework known as TRITON.<ref>For a more detailed account on the implementation and the execution of the attack see, e.g., Steve Miller and Evan Reese, [https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html ‘A Totally Tubular Treatise on TRITON and TriStation’] (7 June 2018), accessed 27 February 2020.</ref> The TRITON attack was deployed to reprogram the SIS controller, after gaining remote access to an SIS workstation aiming at preventing the safety mechanisms to function properly.<ref name="Triton1" /> The intended aim of the attack was to cause a physical damage.<ref name="Triton1" /> |
||
|- |
|- |
||
! scope="row"|Purpose |
! scope="row"|Purpose |
||
| Line 22: | Line 22: | ||
|- |
|- |
||
! scope="row"|Aftermath |
! scope="row"|Aftermath |
||
|Before TRITON there had been few significant incidents, such as Stuxnet, where the deployed malware targeted the industrial control systems (ICS) with the aim of causing physical destruction. However, TRITON was the first attack to target SIS devices.<ref>Samuel Gibbs, |
|Before TRITON there had been few significant incidents, such as Stuxnet, where the deployed malware targeted the industrial control systems (ICS) with the aim of causing physical destruction. However, TRITON was the first attack to target SIS devices.<ref>Samuel Gibbs, [https://www.theguardian.com/technology/2017/dec/15/triton-hackers-malware-attack-safety-systems-energy-plant ‘Triton: Hackers Take Out Safety Systems in “Watershed” Attack on Energy Plant’] The Guardian (15 December 2017), accessed 27 February 2020.</ref> This attack revealed another vulnerability within the safety systems of critical infrastructure facilities that could be exploited, and triggered a significant amount of analysis and research aimed at developing solutions to cover such vulnerability.<ref>See, e.g., Steve Miller et al., [https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html ‘TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping’] (10 April 2019), accessed 5 March 2020; Andrea Carcano, [https://www.nozominetworks.com/blog/black-hat-understanding-triton-the-first-sis-cyber-attack/ ‘Black Hat: Understanding TRITON, The First SIS Cyber Attack’] (8 August 2018) accessed 5 March 2020; Thomas Roccia, [https://www.mcafee.com/blogs/other-blogs/mcafee-labs/triton-malware-spearheads-latest-generation-of-attacks-on-industrial-systems/ ‘Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems’] (8 November 2018), accessed 5 March 2020.</ref> |
||
|- |
|- |
||
! scope="row"|Analysed in |
! scope="row"|Analysed in |
||
Revision as of 14:44, 3 April 2020
| Date | The incident was disclosed by the cybersecurity company FireEye on 14 December 2017.[1] However, the actual date and location of the attack remains unknown.[1] |
|---|---|
| Suspected actor | There is uncertainty about the precise identity of the attacker.[1] According to FireEye, the attack was supported by a Moscow-based technical research institution known as the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is owned by the Russian government.[2] |
| Target | The identity of the targeted facility or facilities and their location have not been disclosed.[3] However, the incident is suspected to have taken place at a critical infrastructure facility in the Middle East.[3] |
| Targeted System | Industrial Control Systems (ICS); specifically, the safety system controlling the emergency shutdown of unspecified industrial processes.[1] |
| Method | ICS disruptive attack; malicious targeting of the Triconex Safety Instrumented System (SIS) controllers via the TriStation protocol through a malware framework known as TRITON.[4] The TRITON attack was deployed to reprogram the SIS controller, after gaining remote access to an SIS workstation aiming at preventing the safety mechanisms to function properly.[1] The intended aim of the attack was to cause a physical damage.[1] |
| Purpose | By the deployment of the TRITON malware, the attacker seems to have aimed at causing physical damage to the critical infrastructure.[1] However, FireEye also suspects that the attacker may have had a long-term objective of developing the capability of causing physical damage to critical infrastructure.[1] |
| Result | The attack did not achieve the intended outcome of causing physical damage, however, it caused a temporary disruption of the industrial processes and the operation of a critical infrastructure facility.[1] The deployment of the attack accidentally triggered an unintended automatic shutdown of the industrial processes, alerting the facility owners and triggering an investigation that has ultimately resulted in the unveiling of the attack.[1] |
| Aftermath | Before TRITON there had been few significant incidents, such as Stuxnet, where the deployed malware targeted the industrial control systems (ICS) with the aim of causing physical destruction. However, TRITON was the first attack to target SIS devices.[5] This attack revealed another vulnerability within the safety systems of critical infrastructure facilities that could be exploited, and triggered a significant amount of analysis and research aimed at developing solutions to cover such vulnerability.[6] |
| Analysed in | Scenario 03: Cyber operation against the power grid |
Collected by: Alan Haji
- ↑ 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 Blake Johnson et al., ‘Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure’ (14 December 2017), accessed 27 February 2020.
- ↑ FireEye Intelligence, ‘TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers’ (23 October 2018), accessed 27 February 2020.
- ↑ 3.0 3.1 Jim Finkle, ‘Hackers halt plant operations in watershed cyber attack’ Reuters (14 December 2017) accessed 27 February 2020.
- ↑ For a more detailed account on the implementation and the execution of the attack see, e.g., Steve Miller and Evan Reese, ‘A Totally Tubular Treatise on TRITON and TriStation’ (7 June 2018), accessed 27 February 2020.
- ↑ Samuel Gibbs, ‘Triton: Hackers Take Out Safety Systems in “Watershed” Attack on Energy Plant’ The Guardian (15 December 2017), accessed 27 February 2020.
- ↑ See, e.g., Steve Miller et al., ‘TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping’ (10 April 2019), accessed 5 March 2020; Andrea Carcano, ‘Black Hat: Understanding TRITON, The First SIS Cyber Attack’ (8 August 2018) accessed 5 March 2020; Thomas Roccia, ‘Triton Malware Spearheads Latest Generation of Attacks on Industrial Systems’ (8 November 2018), accessed 5 March 2020.