LTS Secure Warning: Malware Targeting Industrial Control Systems (ICS) in the Middle East

SCADA/ICS Threat

The Triton malware, which first came to light after a disruptive critical-infrastructure attack on Saudi oil giant Petro Rabigh in 2017, has found a second victim.

The cybercriminals behind Triton, also known as Trisis, have once again began to target industrial control systems (ICS), this time at an undisclosed company in the Middle East.

Triton gets it name from the fact that it targets Triconex safety instrumented system (SIS) controllers, which are being sold by Schneider Electric.Their purpose is to shut down the plant’s operations in an event of a crisis and act as an automated safety defense for industrial facilities.They are designed to prevent equipment failure and catastrophic incidents such as explosions or fire.

Technical Details

Triton malware can’t be used for scale-able attack as it needs to be modified for each target organization given that every SIS is unique to the organization and industry it is used in. The detected variants of the malware are specifically built to tamper with Triconex products.

The attacker first gained remote access(RDP) to the SIS and then deployed Triton malware on the Windows-based workstation with the intent to reprogram the SIS controllers. The tool used to engineer and maintenance the Triconex SIS products is called TriStation. The TriStation protocol is proprietary and not publicly accessible. Triton leverages this protocol, which suggests that the attacker reverse-engineered it when developing the malware.

Once the SIS controller has been compromised, the attacker can reprogram the device to deliberately trigger a safe state, which will result in unwanted downtime and cause financial losses to the company.

Impact

  • Unwanted downtime
  • Financial losses
  • Physical impact on Production and plant

Recommended Actions

  • As this malware targets the Triconex MP3008 Firmware v10.0-10.4 MPC860 PowerPC Processor, users are advised to update their firmware once latest one or patch is available for that.
  • Users can properly segregate the physical and logical access to ICS networks by using DMZ and firewall so that unauthorized access can be prohibited.
  • Properly Logging and monitor every action on the ICS network to quickly identify any suspected traffic.
  • Implement proper redundancy on critical devices to avoid major issues.
  • Apply strict access control and application whitelisting on server or workstation that can communicate to the SIS system over TCP/IP.
  • Monitor ICS network traffic for unexpected communication flows and other anomalous activity.

LTS Secure monitors all the traffic following in your environment and uses it Intelligence engine coupled with Open Threat Exchange (OTX) pulses and to detect and safeguard your assets against such catastrophic incidents.