A Remote Access Trojan Made in Russia

A Remote Access Trojan Made in Russia

US government blames the Russian research institute for supporting the recent TRITON/TRISYS/HatMan attacks. How do these attacks work? How to protect industrial sites? And what are the rules and regulations? Read here

The US Department of the Treasury recently announced sanctions against the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM). This Russian state-funded research institute is the organization described by the Treasury Department as having supported the TRITON/TRISYS/HatMan attack on Safety Instrumented Systems (SIS) in petrochemical targets in the Middle East.

In 2017 and again in 2019, the TRITON attacks reprogrammed safety systems, apparently trying to cause safety incidents in two separate petrochemical processing facilities. “Safety incidents” sounds bland – really, sabotaging safety systems comes very close to attempted murder. Safety systems in refineries or other petrochemical facilities are the computers that monitor for unsafe conditions. When the computers detect an unsafe condition, they shut down part or all of the site to prevent explosions, fires, asphyxiation or other life-threating conditions. When safety systems are compromised, they can no longer prevent these unsafe conditions.

Fortunately, none of the attacks seem to have resulted in casualties. In the 2017 attack, the attackers made mistakes, twice. Both mistakes caused the petrochemical facility to shut down. After the second unplanned shutdown, the engineering team became suspicious and called in cyber investigators, who uncovered the SIS sabotage. And the 2019 attack? Details have not been released to the public.

How do these attacks work?

The TRITON attacks worked by remote control. Details of how TRITON first entered the petrochemical targets have not been released, but in this class of attack, the attackers generally get a foothold on an enterprise network by stealing passwords through “phishing” emails or by sending malicious attachments in email. Once they have even the smallest foothold on the target’s network, the attackers install a Remote Access Trojan (RAT). A RAT is a piece of software that reaches out to the Internet and connects to a Command and Control Center. The attackers then use the control center to operate the RAT remotely.

They use the RAT to plant other RATs elsewhere in the organization so that if one of their compromised machines is discovered, they still have other ways into the organization. They use tools that search memory in compromised machines to find windows passwords, password hashes, Kerberos tickets, or other account information. They use this information, again, to extend their reach into other computers, and eventually reach through firewalls into industrial networks. Once connected deep into control system networks, investigators tell us that the TRITON attackers set about reprogramming and ultimately sabotaging the safety systems.

The bad news? These attack techniques are not unique to TRITON – these same techniques are used by targeted ransomware. The attackers behind targeted ransomware use RATs and remote control to dig deep into a target network and plant their ransomware on networks that the attackers think their targets will pay the most to recover.

How to protect industrial sites

Another important thing to understand here is that those petrochemical sites targeted by TRITON/TRISIS were almost certainly not “soft” targets. Large petrochemical processing sites tend to be heavily defended cyber-wise, with firewalls, encryption, anti-malware systems, intrusion detection, security monitoring and other software-based defenses. Targeted attacks like TRITON, as well as targeted ransomware, routinely defeat this class of software defenses. Layers of security and monitoring software are simply not enough to protect important targets from modern attacks.

So how do we defend against this class of attack? Well, when we created Waterfall Security Solutions in 2007, it was precisely this type of attack that was our motivation. At Waterfall, we invented our flagship Unidirectional Security Gateway family of products specifically to defeat what was then the emerging threat of targeted attacks on industrial systems. What was then an emerging threat is today’s pervasive threat. For over a decade, Unidirectional Gateway hardware has enabled enterprise users and applications to monitor industrial networks safely, without introducing the firewalled attack paths that are exploited so effectively by targeted attacks.

Rules and regulations

The pervasive threat of targeted, remote-control attacks is one of the big reasons for new cybersecurity regulations and recommendations in many jurisdictions. Critical infrastructure regulations in South Korea, Israel, Singapore and France demand unidirectional protections for certain classes of networks. The latest draft CENELEC 50701 guidance for European railway operations recommends unidirectional protections, as does all recent industrial security advice from the US Department of Homeland Security.

When deployed as these regulations and guidance describe, Unidirectional Gateways are the only connection between industrial control networks and any outside network. And – the gateway hardware is physically able to send information in only one direction – from the industrial network out to an enterprise network or other external network. The gateway hardware is not physically able to send remote attack commands, passwords, tickets or other attack information back into protected industrial networks.

But, it is not only the largest critical infrastructure that is the target of modern attacks. Nation-state-sponsored Iranian attackers recently targeted small water treatment and distribution systems in Israel. Organized crime groups target their ransomware attacks to any organization they think is able to pay the ransom. Unidirectional gateways defeat all these remote threats to safe, continuous and efficient industrial operations.

Waterfall leads the world

Waterfall is the world’s leader in unidirectional protection for industrial networks. Our Unidirectional Gateway products have been defeating everything from the simplest to the nastiest of Internet-based attacks for over a decade. For example, one third of the North American power grid’s generating capacity is currently protected unidirectionally, as is the majority of the French grid’s, and essentially all of the Israeli grid’s. Waterfall’s products also protect refineries, water treatment plants, chemical plants, nuclear waste repositories and many other sites. It is no surprise that our invention is now recommended or required for critical infrastructure applications in a rapidly growing number of jurisdictions.

The world will be a safer place when more industrial infrastructure is protected unidirectional. For more information on the world’s strongest protections for industrial infrastructures, download Waterfall’s latest free eBook on Unidirectional Gateways.

Lior Frenkel