Security researchers are warning ICS managers that a Russian hacking group linked to an attempt to blow up a Saudi oil plant has been found inside a second critical infrastructure (CNI) facility.

The sophisticated Triton hacking group has been active since 2014 and uses several different custom and commodity tools in order to gain access to and maintain their presence inside IT and OT networks of CNI firms. Triton was first identified in a Saudi Arabian oil plan in 2017.

While the location or type of CNI firm targeted was not disclosed by FireEye, the security vendor did emphasize that campaigns such as these take months or even years of careful planning, to install the Triton malware, hide it and maintain persistence until the perfect time to attack.

In this attack, the actor was present in the target networks for nearly a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Once they established a foothold on the corporate network, the actor then successfully gained access to the OT network by using techniques like network reconnaissance, lateral movement, and simply maintaining presence in the target environment.

Obfuscation techniques used by the hacking group included: renaming files to look legitimate, using regular admin tools such as RDP and Ps/Exec/WinRM, using encrypted SSH-encrypted tunnels to transfer tools and remove execution, and routine deletion of attack tools, execution logs, files staged for exfiltration, and more.

Researchers disclosed in a blog post this week a warning that states: “We strongly encourage industrial control system (ICS) asset owners to leverage the indicators, TTPs, and detections to improve their defenses and hunt for related activity in their networks.”

The company also warned that most sophisticated ICS attacks leverage Windows, Linux, and other traditionally “IT” systems (located in either IT or OT networks) as a conduit to the ultimate target, urging defenders to focus on these conduits to avoid such an attack.

NNT’s Change Tracker Gen7 R2 solution focuses on establishing a known, trusted baseline and continuously monitoring for any changes made to that state by leveraging policies and best practices from trusted security experts like the Center for Internet Security (CIS) CIS Controls. Our second approach focuses on creating a closed-loop environment specific to “expected” changes, alerting you of changes that are not planned or map to an authored work order. By leveraging these two approaches, an approach NNT calls SecureOps™, industrial control system (ICS) assets owners are able to deliver continuous compliance and assurance to any standard, regulation or policy.



The Most Powerful & Reliable Cybersecurity Products
Contact Us

USA Offices

New Net Technologies LLC
4850 Tamiami Trail, Suite 301
Naples, Florida, 34103

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]


UK Office

New Net Technologies Ltd
The Russell Building, West Common
Harpenden, Hertfordshire

Tel: 020 3917 4995
 [email protected]

SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2021, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.