TRISIS, also known as TRITON or HatMan, is a malware variant that targets Schneider Electric Triconex Safety Instrumented System (SIS) controllers. It was discovered in December 2017 by cybersecurity firm, Mandiant, a FireEye company, when they responded to a cyber incident at an undisclosed critical infrastructure organization. The firm determined that TRITON was designed specifically to interact with these SIS controllers and believe that the actor or group behind the attack may have been attempting to develop the capability to cause physical damage to the organization's equipment and cease operations.
It was determined that TRITON was deployed manually after a threat actor gained remote access to a SIS engineering workstation in an effort to reprogram the SIS controllers. This incident caused some SIS controllers to enter a failed safe state, resulting in the automatic shutdown of the associated industrial process. FireEye believes that the attacker may have previously had access to and familiarity with SIS hardware and software as it uses the proprietary TriStation protocol that is not publicly documented.
According to FireEye's report, TRITON works by mimicking the legitimate Triconex SIS controller management software Trilog, a TriStation application used to review logs on workstations running the Windows OS. It is delivered via trilog.exe, the main executable file that leverages the custom communication commands contained within a ZIP file named library.zip, and two binary files, inject.bin and imain.bin. It has the capability to read and write programs, read and write individual functions, and query the state of a SIS controller. TRITON is also capable of communicating with Triconex SIS controllers, sending commands such as halt or read memory content, and reprogramming them with an attacker-defined payload. If the targeted controller fails, TRITON attempts to return it to a running state. If the controller in unable to recover within a specific time frame, the malware overwrites itself with invalid data to evade detection and analysis. As SIS controllers are designed to read data from industrial equipment to ensure machinery is functioning property, any compromise to these systems has the potential to cause physical damage and disrupt operations.
This activity is attributed to XENOTIME, an advanced persistent (APT) group active since about 2014. FireEye later linked TRITON/TRISIS with the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization owned by the Russian government.
On December 22, 2017, researchers discovered that a file containing pertinent data on the trojan’s framework had been mistakenly uploaded to the public malware repository VirusTotal. Though it was removed from the repository less than 24 hours later, the file was quickly copied and has since been uploaded to various other public sites, including GitHub. A threat actor could use this file, along with other publicly available artifacts, to reconstruct the trojan.
January 2018: TRISIS has mistakenly been released on the open internet. (Cyberscoop)
May 2018: XENOTIME, the group behind TRISIS, is expanding their targeting globally and to safety systems beyond Triconex. (Dragos)
April 2019: Triton threat actors are detected at another critical infrastructure. (Help Net Security)
June 2019: Dragos released a blog post detailing recent XENOTIME activity. Since late 2018, the group began conducting reconnaissance on the networks of electric utilities in the US and the Asia-Pacific, gathering information and attempting initial access operations. (Dragos)
Indicators of Compromise (IoCs), as well as additional technical about this threat, are available in the FireEye report titled Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure.
Dragos provides technical analysis of TRISIS, here.
Due to detection at another critical infrastructure, FireEye provides indicators, TTPs, and detections, here.
Image Source: FireEye