TRITON Malware: a new attack framework targeting control systems in critical infrastructure

triton malware

In the latest reported attack against an energy plant, hackers have infiltrated critical safety systems for industrial control units by deploying a malware designed to manipulate safety instrumented systems (SIS) through TRITON malware – a malicious software targeted at  Industrial Control System (ICS) causing operational disruption to the facility.

According to FireEye and Dragos who conducted an investigation of the event, the attackers tried to take remote control of a safety control workstation; some controllers entered a fail-safe mode as the hackers attempted to reprogram them causing related processes to shut down and allowing the plant to spot the attack. It appears that the hackers were probably attempting to learn how they could modify safety systems as preparation for launching future attacks.

Cyber experts mark this sophisticated attack as the first reported breach of a safety system at an industrial plant and call it ‘watershed line’ as additional hackers will catch up and try to execute in the future similar attack methods.

Based on the analysis done by FireEye and Dragos, the clear indication is that the TRITON attack was comprised of two files:

    1. Trilog.exe – masquerade as the legitimate Triconex Trilog application – the main executable leveraging libraries zip.
    2. library.zip – contained Triconex attack framework and payloads.

Running Trilog.exe file depends on library.zip for execution: once invoked Trilog.exe depends on libraries and binaries contained in library.zip to connect to and reprogram the devices.

How will the ODIX system eliminate this attack?

By setting a policy that does not allow PYC or BIN files to enter the network, ODIX sanitization process would have recursively inspected the file and drop the unauthorized content within the zip file causing the main process to be rendered useless. Thus, if the SIS environment was properly isolated and all files introduced to it would have been sanitized with an effective policy, the attack would have been prevented.

ODI’s files Odixing process, based on its advanced CDR (Content Disarm and Reconstruction) technology, enables a secure network and to stay ahead of such threats without compromising on system performance and productivity.
ODIX engine checks every single file entering the network, ensuring all files are malware-free and safe to use.

The innovation of ODI’s unique process and its proactive & preventive nature provides the most effective way to block today’s unknown cyberattacks.

Learn more about the 4 defense lines of the ODIX process – here  <–

2017-12-20T13:19:23+00:00 December 20th, 2017|ODI blog|
Stay on top of the latest anti-malware trends
Get news and insights from our cyber security experts
Your Information will never be shared with any third party.