What lessons does the TRISIS/TRITON attack on a Middle Eastern petrochemical facility hold for industry? Speakers at SecurityWeek's ICS Security Conference think there are at least three. First, hunt behaviors, not signatures. Second, the barriers to effective attacks on safety instrumentation systems have dropped. And third, there's now malware out there that's been built to kill.
Hunting for Xenotime.
In November 2017 a team from industrial cybersecurity firm Dragos discovered highly tailored malware deployed against a petrochemical facility in the Middle East. They called the malware "TRISIS" because the system it affected was Schneider Electric's Triconex safety instrumented system. The malware enabled attackers to replace final control element logic. The incident has become notorious for its disturbing potential lethality, a potential that happily went unrealized.
Dragos CEO Robert M. Lee described the threat actors behind the TRISIS malware (also known as "TRITON") "the most aggressive" he'd ever seen. He calls them "Xenotime," but this isn't an alias for some nation-state's espionage unit or a criminal gang. Rather it denominates a threat actor best understood in terms of its methods, not its allegiances. It's not the who that's important, in Lee's view, but rather the how.
The history of the attack, like other bits of intelligence, is in Lee's view interesting because it deals with what happened, "with ground truth." Lee opened his presentation by correcting two bits of misinformation that were widely repeated when the story broke. It was not, first of all, an Iranian operation. Nor was the victim Saudi Aramco. Saudi Aramco was widely reported to have been hit, with often greatly exaggerated effect, but in fact it was not. The commendable role Saudi Aramco played was instead one of incident response in support of the unnamed company that was the victim.
The disturbing lesson from the incident is that cyberattacks are now being designed to kill. TRISIS was intended to be lethal, and other such attacks can be expected. It's important to understand that TRISIS was designed for use against safety instrumentation systems, as opposed to protection systems. Because safety instrumentation systems are highly tailored to specific installations, chasing malware indicators is unlikely to pay off. It's better to look at the tradecraft.
When you do look at that tradecraft, a more complex picture emerges. There have been signs of Xenotime activity in Europe and North America as well as in the Middle East, and the threat actor began showing up in 2014 and 2015, two years before the TRISIS attacks. They conducted reconnaissance, pivoted into the safety instrumentation systems, and then developed their attack tools.
In many respects Xenotime's behavior looked like "common pentesting stuff." They targeted Remote Desktop Protocol, went after remote authentication and management portals, including VPN concentrators and network device configuration sites. They exploited Powershell and other native tools; they engaged in custom credential theft. They moved laterally through targeted networks, and above all the lived off the land.
The lesson Lee drew for the audience was that the purpose of threat hunting is to find specific behaviors, not to go looking for unknown unknowns. And he stressed that in this field one should focus on the behaviors, not the signatures. Signatures change, but common aspects of a threat actor's tradecraft will appear in many attacks.
Lee closed by offering some encouragement. He cautioned people against forming a picture of the attacker as hyper-competent and effectively invincible. Instead, he argued, remember that they make mistakes. They certainly did with TRISIS—their attack on safety systems shut the facility down, twice, which wasn't their intention. Lee suggested an alternative picture of the ICS hacker: they're 18 to 30 years old, they're in their first government job, and they're dealing with management and PowerPoint "just like you."
Have a credit card and Internet access? You've got an attack R&D program.
Like Dragos's Lee, Nozomi's co-founder Dr. Andrea Carcano drew a sharp distinction between industrial control systems and safety instrumentation systems proper. The safety instrumentation system ensures that a process is running within safe parameters. Modern safety instrumentation systems (SIS) are software-based, and best current best practices prescribe that they run on a dedicated network. The TRITON/TRISIS malware, however, attacked just such systems.
The attackers in 2017 appeared, Carcano said, to have obtained access to an SIS workstation. (There's speculation that they may have come in through remote desktop protocol to an engineering workstation.) In any case, there were many steps an attacker would need to take to reach the SIS, and yet they were able to accomplish their intrusion. Nozomi's own investigation of the malware, including their reverse engineering of the probably attack methods, led them to conclude that, as Carcano put it, "exploitation [of industrial control systems] is no longer for the elite." Increased connectivity, readily available exploitation tools and malware samples, and easily accessible ICS documentation and equipment have combined to lower barriers to entry for those who wish to attack safety systems.
Nozomi's reverse engineering project found that, to build their own version of TRITON, they needed to (1) gather intelligence, (2) "build a shopping list," (3) reverse engineer some engineering software, and (4) reverse engineer the target system's protocol. They invested two weeks and few thousand dollars to replicate TRITON. The amount of information about safety systems available online is sobering. Building an attack is a complex task, Carcano said, but building the malware is not.
The number of reported vulnerabilities in industrial systems is growing. Carcano closed by urging the security community to develop auditing and forensic tools that can be used to find the threats before these exploits become common.