Triton/Trisys Strikes Again

FireEye reports that the Triton (aka Trisys) malware targeting safety instrumented systems has been discovered at another undisclosed target in the Middle East. As a result of investigating that intrusion, FireEye reports that the threat actors behind Triton are a government-sponsored Russian agency.

Triton targets safety systems and is operated by interactive remote control. Human agents use software tools with the look and feel of Remote Desktop (RDP) to operate Triton and other attack tools during the intrusion. FireEye reports that, relative the first Triton attack, a new development is the extensive use of new, custom versions of popular attack tools. The custom versions appear to be designed to avoid anti-virus (AV) systems.

How does this work? AV vendors produce a signature for a piece of malware or other attack tool once the vendors discover the malware on at least several thousand of their Internet-exposed honeypots. Popular attack tools have long since had AV signatures created for them. New implementations of these tools provide the Russian attackers with familiar functionality packaged in executables for which no AV vendor has signatures. This is because the AV vendors have never seen the tools or have not seen the attack tools in on their honeypots in volumes high enough to trigger the creation of signatures, then there are no signatures for the tools. This means AV systems all over the world are therefore be blind to the operation of these new versions of common attack tools.

FireEye also reports that rather than building custom remote-control GUI tools, the Triton attackers seem to prefer to use the native Windows RDP tool. To avoid conflicts with legitimate use of Windows RDP, the attackers frequently tunnel RDP communications through non-standard ports with OpenSSH port redirection and similar tools. The attackers seemed to prefer to carry out this tunneling on ICS jump hosts, because of the privileged position the jump hosts have relative to ICS firewalls.

FireEye points out that the process of penetrating an IT network and manually working through layers of IT and OT networks is a long, multi-stage attack process. If a defender is able to reliably defeat at least one stage in this multi-stage penetration process, then the defender reliably defeats the entire attack.

A reliable way to defeat absolutely all remote-control attacks, on both safety systems and higher-level control networks, is to deploy an outbound unidirectional gateway as the sole connection between the protected network and any external network. The gateways render malicious interactive remote control physically impossible – no matter how custom the malware, how cleverly tunneled the RDP connections or how sophisticated the government-sponsored attackers.

Unidirectionally-secured industrial networks provide safe enterprise visibility into industrial operations, even visibility into safety instrumented systems, without risk to those systems. Thoroughly-secured industrial networks often also require at least some limited, disciplined control signals from enterprise networks back to operations networks. With firewalls, such control signals have only one solution – “Quick, open another port!”.

Unidirectional, control-critical network designs provide for disciplined control in ways that are stronger than firewalls. My latest book Secure Operations Technology documents nearly two dozen designs for unidirectional protection of control-critical networks, many of which support some kind of disciplined remote control from external networks.

An investment in unidirectional security, replacing at least one layer of firewalls in a defense-in-depth network architecture, reliably defeats Triton, BlackEnergy, targeted ransomware and all other remote control attacks, no matter how sophisticated. An investment in unidirectional security is an investment in continuous, correct, efficient and safe physical operations.

Andrew Ginter
Newsletter Signup