Security researchers are warning ICS managers that a Russian hacking group linked to an attempt to blow up a Saudi oil plant has been found inside a second critical infrastructure (CNI) facility.
The sophisticated Triton hacking group has been active since 2014 and uses several different custom and commodity tools in order to gain access to and maintain their presence inside IT and OT networks of CNI firms. Triton was first identified in a Saudi Arabian oil plan in 2017.
While the location or type of CNI firm targeted was not disclosed by FireEye, the security vendor did emphasize that campaigns such as these take months or even years of careful planning, to install the Triton malware, hide it and maintain persistence until the perfect time to attack.
In this attack, the actor was present in the target networks for nearly a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Once they established a foothold on the corporate network, the actor then successfully gained access to the OT network by using techniques like network reconnaissance, lateral movement, and simply maintaining presence in the target environment.
Obfuscation techniques used by the hacking group included: renaming files to look legitimate, using regular admin tools such as RDP and Ps/Exec/WinRM, using encrypted SSH-encrypted tunnels to transfer tools and remove execution, and routine deletion of attack tools, execution logs, files staged for exfiltration, and more.
Researchers disclosed in a blog post this week a warning that states: “We strongly encourage industrial control system (ICS) asset owners to leverage the indicators, TTPs, and detections to improve their defenses and hunt for related activity in their networks.”
The company also warned that most sophisticated ICS attacks leverage Windows, Linux, and other traditionally “IT” systems (located in either IT or OT networks) as a conduit to the ultimate target, urging defenders to focus on these conduits to avoid such an attack.
NNT’s Change Tracker Gen7 R2 solution focuses on establishing a known, trusted baseline and continuously monitoring for any changes made to that state by leveraging policies and best practices from trusted security experts like the Center for Internet Security (CIS) top 20 controls. Our second approach focuses on creating a closed-loop environment specific to “expected” changes, alerting you of changes that are not planned or map to an authored work order. By leveraging these two approaches, an approach NNT calls SecureOps™, industrial control system (ICS) assets owners are able to deliver continuous compliance and assurance to any standard, regulation or policy.