The hacker group behind the Triton malware strikes again

A highly capable hacker group reportedly behind a failed plot to blow up a Saudi petrochemical plant has now been found in a second facility.

FireEye researchers said it found traces of the so-called Triton group in another unnamed “critical infrastructure” facility. The group’s eponymous malware, previously linked to the Russian government, is designed to burrow into a target’s networks and sabotage their industrial control systems, often used in power plants and oil refineries to control the operations of the facility.

By compromising these controls, a successful attack can cause significant disruption — even destruction.

The company was tight-lipped on the intrusion at the second facility, declining to describe the type of facility or its location — or even the year of the attack. 

“We assess the group was attempting to build the capability to cause physical damage at the facility when they accidentally caused a process shutdown that led to the Mandiant investigation,” said Nathan Brubaker, senior manager, analysis at FireEye, in an email to TechCrunch describing the first incident.

Brubaker declined to comment on the motives of the second facility.

FireEye’s latest research revealed more about how the hackers work. Their findings showed the hackers could spend close to a year after their initial compromise of a facility’s network before launching a deeper assault, taking the time to prioritize their understanding of how the network looked and how to pivot from one system to another. The hackers’ goal is to quietly gain access to the facility’s safety instrumented system, an autonomous monitor that ensures physical systems don’t operate outside of their normal operational state. These critical systems are strictly segmented from the rest of the network to prevent any damage in the event of a cyberattack.

By gaining access to the critical safety system, the hackers focused on finding a way to effectively deploy Triton’s payloads to carry out their mission without causing the systems to enter into a safe fail-over state.

In the case of the August 2017 attack in which Triton was deployed, the Saudi facility would have been destroyed had it not been for a bug in the code.

“These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack,” said FireEye’s report. “During this time, the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom [industrial control system] malware,” said the report. “This attack was no exception.”

But the security firm warned that the attackers’ slow and steady approach — which involved moving slowly and precisely as to not trigger any alarms — showed they had a deep focus on not getting caught. That, they said, suggests there may be other targets beyond the second facility “where the [hackers] was or still is present.”

The security company published lists of hashes unique to the files found in the second facility’s attack in a hope that IT staff in other at-risk industries and facilities can check for any compromise.

“Not only can these [tactics, techniques and procedures] be used to find evidence of intrusions, but identification of activity that has strong overlaps with the actor’s favored techniques can lead to stronger assessments of actor association, further bolstering incident response efforts,” the company said.