Security researchers are warning ICS managers that a Russian hacking group linked to an attempt to blow up a Saudi oil plant has been found inside a second critical infrastructure (CNI) facility.

The sophisticated Triton hacking group has been active since 2014 and uses several different custom and commodity tools in order to gain access to and maintain their presence inside IT and OT networks of CNI firms. Triton was first identified in a Saudi Arabian oil plan in 2017.

While the location or type of CNI firm targeted was not disclosed by FireEye, the security vendor did emphasize that campaigns such as these take months or even years of careful planning, to install the Triton malware, hide it and maintain persistence until the perfect time to attack.

In this attack, the actor was present in the target networks for nearly a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Once they established a foothold on the corporate network, the actor then successfully gained access to the OT network by using techniques like network reconnaissance, lateral movement, and simply maintaining presence in the target environment.

Obfuscation techniques used by the hacking group included: renaming files to look legitimate, using regular admin tools such as RDP and Ps/Exec/WinRM, using encrypted SSH-encrypted tunnels to transfer tools and remove execution, and routine deletion of attack tools, execution logs, files staged for exfiltration, and more.

Researchers disclosed in a blog post this week a warning that states: “We strongly encourage industrial control system (ICS) asset owners to leverage the indicators, TTPs, and detections to improve their defenses and hunt for related activity in their networks.”

The company also warned that most sophisticated ICS attacks leverage Windows, Linux, and other traditionally “IT” systems (located in either IT or OT networks) as a conduit to the ultimate target, urging defenders to focus on these conduits to avoid such an attack.

NNT’s Change Tracker Gen7 R2 solution focuses on establishing a known, trusted baseline and continuously monitoring for any changes made to that state by leveraging policies and best practices from trusted security experts like the Center for Internet Security (CIS) CIS Controls. Our second approach focuses on creating a closed-loop environment specific to “expected” changes, alerting you of changes that are not planned or map to an authored work order. By leveraging these two approaches, an approach NNT calls SecureOps™, industrial control system (ICS) assets owners are able to deliver continuous compliance and assurance to any standard, regulation or policy.



The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)

[email protected]

United Kingdom

5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023

 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2023, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.