The Triton Attack on an SIS Controller – an Update
By John Lear 4 April 2019
In late 2017, a cyber attack occurred on the Triconex Safety System of a Middle Eastern Facility. The hack tried to change the code in the Safety Controller, but during one of the steps of the attack, the controller shutdown. This led to a “crash” shutdown of the facility, with all safety system outputs going to their “safe” values. In practice, this is likely to mean that most valves and drives on the facility went to their “fail” states. While in theory, “facilities” are designed to go to their “fail safe” states, in practice, it may be rather exciting.
On 18 December 2018, ICS-CERT released an update on details of what has been titled “HatMan - Safety System Targeted Malware”. (https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan-Safety-System-Targeted-Malware-Update-B). The update included details of the YARA signature to identify a custom, Windows-based remote deployment tool that threat actors may have used.
However, of more interest is the general commentary of the implications of the attack.
The construction of the different HatMan components indicates significant knowledge about ICS environments—specifically Tricon controllers—and an extended development lifecycle to refine such an advanced attack. In addition, it is very likely that an additional component or a separate piece of malware has been developed to impact a control system in tandem with a HatMan attack on the safety system. Although there may be theories as to what this might look like—considering the areas in which Triconex equipment is used—this piece of the puzzle has not yet been revealed.
It is also worth considering the possibility of other threat actors moving into this attack space. Because the HatMan samples have been made public—some files are on VirusTotal and many have been made available on other sites—it is very likely that both researchers and other threat actors alike are doing their own analysis. In particular, the components made available could allow another party to build a similar attack, or to use it as a basis for attacks on other systems. To this end, the security of all safety systems, not just Triconex controllers, should be considered.
In summary, it is an indication, that there are sophisticated teams working in the area, and that operators of Industrial Control Systems need to be on the alert.
With regards defence, there are some offerings to help detect some aspects of the current knowledge of this attack, but “ultimately, the best mitigation strategy for this malware—and others of the same sort—is to employ defense in depth and follow any relevant best practices. Rather than solely attempting to protect vulnerable targets—such as the Triconex devices targeted by HatMan—one prevents an attacker from ever reaching them.”
KAJE Cyber can assist you protect your assets by undertaking an ICS Risk Assessment, in accord with IEC62443, to help identify the layers of defence most appropriate to your system.
In late 2017, a cyber attack occurred on the Triconex Safety System of a Middle Eastern Facility. The hack tried to change the code in the Safety Controller, but during one of the steps of the attack, the controller shutdown. This led to a “crash” shutdown of the facility, with all safety system outputs going to their “safe” values. In practice, this is likely to mean that most valves and drives on the facility went to their “fail” states. While in theory, “facilities” are designed to go to their “fail safe” states, in practice, it may be rather exciting.
On 18 December 2018, ICS-CERT released an update on details of what has been titled “HatMan - Safety System Targeted Malware”. (https://ics-cert.us-cert.gov/MAR-17-352-01-HatMan-Safety-System-Targeted-Malware-Update-B). The update included details of the YARA signature to identify a custom, Windows-based remote deployment tool that threat actors may have used.
However, of more interest is the general commentary of the implications of the attack.
The construction of the different HatMan components indicates significant knowledge about ICS environments—specifically Tricon controllers—and an extended development lifecycle to refine such an advanced attack. In addition, it is very likely that an additional component or a separate piece of malware has been developed to impact a control system in tandem with a HatMan attack on the safety system. Although there may be theories as to what this might look like—considering the areas in which Triconex equipment is used—this piece of the puzzle has not yet been revealed.
It is also worth considering the possibility of other threat actors moving into this attack space. Because the HatMan samples have been made public—some files are on VirusTotal and many have been made available on other sites—it is very likely that both researchers and other threat actors alike are doing their own analysis. In particular, the components made available could allow another party to build a similar attack, or to use it as a basis for attacks on other systems. To this end, the security of all safety systems, not just Triconex controllers, should be considered.
In summary, it is an indication, that there are sophisticated teams working in the area, and that operators of Industrial Control Systems need to be on the alert.
With regards defence, there are some offerings to help detect some aspects of the current knowledge of this attack, but “ultimately, the best mitigation strategy for this malware—and others of the same sort—is to employ defense in depth and follow any relevant best practices. Rather than solely attempting to protect vulnerable targets—such as the Triconex devices targeted by HatMan—one prevents an attacker from ever reaching them.”
KAJE Cyber can assist you protect your assets by undertaking an ICS Risk Assessment, in accord with IEC62443, to help identify the layers of defence most appropriate to your system.
