Tag Archives: Nation State Actors

Triton: Dangerous and Puzzling – Part I

4 March 2018

Jim Finkle’s report ‘Hackers halt plant operations in watershed cyber attack’ (1) published on December 14th, 2017 on Reuters made me curious and nervous at the same time.

The report deals with a cyber-attack on Safety Instrumented Systems (SIS). SIS work independently of the Process Control Systems (PCS). They guarantee that the industrial process, e.g. a reactor or a cracker, can be safely shutdown if the PCS can no longer control the process. Since compromising an SIS may cause significant negative effects on people and environment, the most important task in Production IT Security is to prevent cyber-attacks on SIS.

Although the attack was intensively discussed in the media and by security researchers many questions are still open. With this three-part blog series I like to examine some details more closely. A detailed attack analysis gives IT security strategists the chance to derive improved means for protection of SIS.

Part I: Some facts about the Triton attack

Malware naming

FireEye named the malware TRITON (2). Triton is an attack framework created to interact with Schneider Electric Triconex Safety Instrumented Systems. Other sources name the malware TRISIS (3) or HATMAN (4).

Indicators of Compromise

“In the incident, hackers used sophisticated malware to take remote control of a workstation running a Schneider Electric Triconex safety shutdown system, then sought to reprogram controllers used to identify safety issues. Some controllers entered a fail safe mode, which caused related processes to shut down and caused the plant to identify the attack, FireEye said.” (1)

From the FireEye report, we learn: “The attacker gained remote access to an SIS engineering station and deployed the TRITON attack framework to reprogram the SIS controllers. During the incident, some SIS controllers entered a failed safe state, which automatically shutdown the industrial process and prompted the asset owner to initiate an investigation. The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message.” (2)

With this, the IoC was: A production process was shutdown by the SIS although no indicators for a failure condition were signaled by the PCS.

Preconditions for a successful attack

At least the SIS Engineering Station must be accessible from the network. The FireEye (2) and Dragos (3) report confirmed that this was the case.

The Triconex memory protection key switch must be left in Program mode long enough to allow the attacker to run the attack. The FireEye (2) report confirmed that this was the case:

“The attacker could have caused a process shutdown by issuing a halt command or intentionally uploading flawed code to the SIS controller to cause it to fail. Instead, the attacker made several attempts over a period of time to develop and deliver functioning control logic for the SIS controllers in this target environment. While these attempts appear to have failed due one of the attack scripts’ conditional checks, the attacker persisted with their efforts.”

The code is publicly available from GitHub. (5)

Threat Actor

From the FireEye (2) and Dragos (3) analysis it is clear, that this was a sophisticated attack. In-depth knowledge of Schneider Electric Triconex SIS and network intrusion technology is required to perform such kind of attack and stay undetected for a while. This indicates a state-sponsored threat actor.

What does this really mean?

Production Network Reference Architecture

Production Network Reference Architecture

The cyber attacker worked his way through the business DMZ, the business network, the production DMZ and the production partition 1 to the SIS engineering station in zone 2 of production partition 2, without being noticed by any security device, SIEM or endpoint protection. That is truly amazing.

It seems like some basic protective measures were either not fully in place or misconfigured or no one checked the logs regarding IoC and IoA.


From my point of view this sounds very unlikely and mysterious. I will present some alternative access scenarios in part II.

Have a good weekend.

  1. Finkle J. Hackers halt plant operations in watershed cyber attack. Reuters [Internet]. 2018 Dec 14 [cited 2018 Feb 4]; Available from: https://www.reuters.com/article/us-cyber-infrastructure-attack/hackers-shut-down-infrastructure-safety-system-in-attack-fireeye-idUSKBN1E8271

  2. Caban D, Krotofil M, Scali D, Brubacker N, Glyer C, Johnson B. Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure [Internet]. FireEye Threat Research Blog. 2017 [cited 2018 Feb 12]. Available from: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

  3. TRISIS-01.pdf [Internet]. [cited 2018 Mar 3]. Available from: https://dragos.com/blog/trisis/TRISIS-01.pdf

  4. MAR-17-352-01 HatMan—Safety System Targeted Malware_S508C.pdf [Internet]. [cited 2018 Mar 3]. Available from: https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf

  5. ICSrepo. TRISIS-TRITON-HATMAN: Repository containting original and decompiled files of TRISIS/TRITON/HATMAN malware [Internet]. 2018 [cited 2018 Feb 5]. Available from: https://github.com/ICSrepo/TRISIS-TRITON-HATMAN


Dutch banks hit by massive DDoS attacks – Blaming is difficult in the case of cyber-attacks

24 February 2018

Huib Modderkolk’s report ‘Dutch agencies provide crucial intel about Russia’s interference in US-elections’ [1] dated 25 February 2018 is one of the best spy stories I ever read. Hackers from the Dutch intelligence service AVID spied on the Russian hacker group Cozy Bear for some years. They watched them hacking the Democratic Party and manipulating the U.S. elections in 2016. [2]

Some days later Dutch banks and the Dutch Tax Agency [3] were hit by massive DDoS attacks with a peak volume of 40 Gbps. The alleged nation-state threat actor responsible behind these attacks was rapidly found because the timing of the attacks was just too coincidental. In addition, it is widely assumed that only nation-state actors have the resources to run attacks of this size. Janene Pieters reported on 29 January 2018 that according to ESET the attacks came from servers in Russia. [4]

But blaming is difficult in the case of cyber-attacks.

On 6 February 2017 Janene Pieters reported that an 18-year-old man from Oosterhout was arrested in connection with the DDoS attacks. [5] Tijs Hofmans report [6] in ComputerWeekly.com reveals some remarkable background details:

“In messages to the Tweakers systems administrator, Jelle S claimed to have bought a ready-made “stresser” DDoS package on the dark web for which he had paid €50 a week to send 50-100Gb/s of data to victims.”

Crazy world! A script kiddie misused a professional tool for running stress tests against web sites to do the DDoS attacks. And for a very reasonable price.

Blaming becomes a big issue when it comes to DDoS on critical infrastructures. According to the new U.S. nuclear strategy [7] such kind of attack on the U.S. homeland could, in the worst case, result in a counter strike with nuclear weapons.

Have a great weekend.

    1.  Modderkolk H. Dutch agencies provide crucial intel about Russia’s interference in US-elections – Tech – Voor nieuws, achtergronden en columns [Internet]. De Volkskrant. 2018 [cited 2018 Jan 30]. Available from: https://www.volkskrant.nl/tech/dutch-agencies-provide-crucial-intel-about-russia-s-interference-in-us-elections~a4561913/
    2.  Cluley G. How Dutch intelligence spied on the Russian hackers attacking the DNC [Internet]. Graham Cluley. 2018 [cited 2018 Jan 30]. Available from: https://www.grahamcluley.com/dutch-intelligence-spied-russia-hackers-attacking-dnc/
    3. Cimpanu C. Dutch Banks, Tax Agency Under DDoS Attacks a Week After Big Russian Hack Reveal [Internet]. BleepingComputer. 2018 [cited 2018 Feb 24]. Available from: https://www.bleepingcomputer.com/news/security/dutch-banks-tax-agency-under-ddos-attacks-a-week-after-big-russian-hack-reveal/
    4. Pieters J. Russian servers linked to DDoS attack on Netherlands financial network: Report [Internet]. NL Times. 2018 [cited 2018 Feb 24]. Available from: https://nltimes.nl/2018/01/29/russian-servers-linked-ddos-attack-netherlands-financial-network-report
    5. Pieters J. Suspect arrested for cyber attacks on Dutch tax service; Bunq [Internet]. NL Times. 2018 [cited 2018 Feb 24]. Available from: https://nltimes.nl/2018/02/06/suspect-arrested-cyber-attacks-dutch-tax-service-bunq
    6. Hofmans T. Teenager suspected of crippling Dutch banks with DDoS attacks [Internet]. ComputerWeekly.com. 2018 [cited 2018 Feb 24]. Available from: http://www.computerweekly.com/news/252434665/Teenager-suspected-of-crippling-Dutch-banks-with-DDoS-attacks
    7. Sanger DE, Broad WJ. Pentagon Suggests Countering Devastating Cyberattacks With Nuclear Arms. The New York Times [Internet]. 2018 Jan 16 [cited 2018 Jan 30]; Available from: https://www.nytimes.com/2018/01/16/us/politics/pentagon-nuclear-review-cyberattack-trump.html