FireEye security researchers have discovered the latest victim of Triton malware, a destructive malware targeting critical infrastructure.
FireEye researchers were hired to investigate a breach at an undisclosed critical infrastructure facility and discovered the presence of Triton malware.
The same malware is linked to the failed attack against Saudi Arabian oil giant Petro Rabigh.
Triton malware is designed to manipulate and compromise the industrial control systems (ICS) at a critical infrastructure firm and disrupting the normal operation of systems.
After the initial infection, the threat actors took almost a year to launch the next stage of infection which is gain access to the facility’s safety instrumented system controllers (SIS).
“After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. “
“Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.”
Once they gain access to the site’s SIS controllers, they appeared to be solely focusing on maintaining access while attempting to deploy TRITON malware successfully.
This also involves limiting their activities to lessen the chance of being discovered and causing the systems to enter into a safe fail-over state.
According to the analysis of custom intrusion tools used in the attackers has been operating since as early as 2014.
The fact that the existence of these tools and the attacker’s demonstrated the interest in operational security, there may be other target environments other than these two where the threat actor was or still is present.
Researchers also published technical details about the attack and advised staffs in other critical infrastructure industries to use it to check for intrusions in their systems.
For more technical details about the attack and indicators of compromise in the attack, you can visit the analysis published FireEye security researchers here.
“There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild. While this attention is useful for a variety of reasons, we argue that defenders and incident responders should focus more attention on so-called “conduit” systems when trying to identify or stop ICS-focused intrusions.” said in the post published by FireEye security researchers.
You may be interested in reading:New Zero-day flaw in Google Chrome Discovered Actively Exploited in the Wild