Threat Actor Behind Cybersecurity Attacks Targeting Safety Instrumented Systems Identified

A relatively new cyberattack threat activity group dubbed “XENOTIME” is intent on compromising and disrupting industry safety instrumented systems globally, and cybersecurity experts are warning it is “easily the most dangerous threat activity publicly known.”

According to  global industrial control system (ICS) cybersecurity firm Dragos Inc., XENOTIME is behind TRISIS (also known as TRITON), the destructive malware that targeted Schneider Electric’s Triconex safety instrumented system (SIS) and shut down industrial systems at a Middle Eastern industrial facility.

In a blog post published on May 24, Dragos said that the incident that it exposed in collaboration with security firm FireEye in December 2017 “represented a shift in the capabilities and consequences of ICS malware.” TRISIS/TRITON is an escalation of attacks by publicly identified malicious software families targeting ICS systems, it said.

More Insidious Attacks by Increasingly Sophisticated Threat Actors

In March, the firm published a series of reports warning that 2017 was a “watershed” year in ICS security largely due to the discovery of new capabilities and a significant increase in ICS threat activity groups. Before last year, only three families of ICS-specific malware were known: STUXNET, discovered before 2010, BLACKENERGY 2, discovered in 2012, and HAVEX, which emerged in 2013. Over 2017, two new samples emerged. One was CRASHOVERRIDE, the first-ever malware framework identified to have been designed and deployed to attack electric grids, and which impacted a single transmission level substation in Ukraine in December 2016. The second was TRISIS/TRITON, the attack framework which was used to modify application memory on SIS controllers at the Middle Eastern facility to prevent it from functioning correctly, increasing the  likelihood of a failure and other physical consequences.

Boston-based Critical infrastructure security firm CyberX on May 9 told POWER that TRISIS/TRITON attacks have been confined to Middle Eastern targets. The firm cited a March 15 New York Times report that suggests the TRISIS/TRITON attack—which may have been part of a “string of cyberattacks on petrochemical plants in Saudi Arabia”—was likely conducted by Iranian threat actors, potentially with the assistance of Russia or North Korea, “due to its high level of cyber tradecraft.”

But according to Dragos, more information is still being uncovered about the TRISIS/TRITON malware framework. The firm’s intelligence suggests, however, that XENOTIME may have been active since at least 2014, and that it now operates globally—in regions far outside the Middle East, which was their “initial target.” Dragos’ intelligence also suggests that while it has no known associations to other activity groups, XENOTIME is “presently operating in multiple facilities targeting safety systems beyond Triconex.”

A Clear Target: Safety Instrumented Systems

For Dragos, it is clear that the TRISIS/TRITON attack in the Middle East was “highly tailored,” and “it would have required specific knowledge of Triconex’s infrastructure and processes within a specific plant. This means it’s not easy to scale—however, the malware provides a blueprint of how to target safety instrumented systems,” it said on Thursday.

An SIS is an autonomous control system that independently monitors the status of the process under control. SIS essentially brings processes that exceed parameters (and define a hazardous state such as over-pressurization, overspeed, and overheating) back into a safe state, or it automatically functions to safely shutdown the process. Operational technology often also relies on a distributed control system (DCS), which provides human operators with the ability to remotely monitor and control an industrial process through computers, software applications, and controllers. If the SIS and DCS controls fail, the final ICS line of defense is the design of the industrial facility—often mechanical equipment or protections, such as rupture discs, alarms, and emergency response procedures.

As FireEye explained, asset owners employ varied approaches to interface their plant’s DCS with SIS. “The traditional approach relies on the principles of segregation for both communication infrastructures and control strategies. For at least the past decade, there has been a trend towards integrating DCS and SIS designs for various reasons including lower cost, ease of use, and benefits achieved from exchanging information between the DCS and SIS,” it said. “We believe TRITON acutely demonstrates the risk associated with integrated designs that allow bi-directional communication between DCS and SIS network hosts.”

According to Dragos, XENOTIME configured TRISIS/TRITON based on the specifics and functions of the Triconex system within the ICS environment, using credential capture and replay to move between networks, and Windows commands, standard command-line tools (such as PSExec) and proprietary tools for operations on victim hosts.

The firm warned on Thursday that the tradecraft is scalable and available to others “even if the malware itself changes.” And for now, Dragos data shows that XENOTIME remains active.

“Dragos assesses with moderate confidence that XENOTIME intends to establish required access and capability to cause a potential future disruptive or even destructive event,” it said. “Compromising safety systems provides little value outside of disrupting operations. The group created a custom malware framework and tailor-made credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly.

“As XENOTIME matures, it is less likely that the group will make this mistake in the future,” the group said.

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)