triton malware attack

Security researchers are warning ICS managers that a Russian hacking group linked to an attempt to blow up a Saudi oil plant has been found inside a second critical infrastructure (CNI) facility.

The sophisticated Triton hacking group has been active since 2014 and uses several different custom and commodity tools in order to gain access to and maintain their presence inside IT and OT networks of CNI firms. Triton was first identified in a Saudi Arabian oil plan in 2017.

While the location or type of CNI firm targeted was not disclosed by FireEye, the security vendor did emphasize that campaigns such as these take months or even years of careful planning, to install the Triton malware, hide it and maintain persistence until the perfect time to attack.

In this attack, the actor was present in the target networks for nearly a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Once they established a foothold on the corporate network, the actor then successfully gained access to the OT network by using techniques like network reconnaissance, lateral movement, and simply maintaining presence in the target environment.

Obfuscation techniques used by the hacking group included: renaming files to look legitimate, using regular admin tools such as RDP and Ps/Exec/WinRM, using encrypted SSH-encrypted tunnels to transfer tools and remove execution, and routine deletion of attack tools, execution logs, files staged for exfiltration, and more.

Researchers disclosed in a blog post this week a warning that states: “We strongly encourage industrial control system (ICS) asset owners to leverage the indicators, TTPs, and detections to improve their defenses and hunt for related activity in their networks.”

The company also warned that most sophisticated ICS attacks leverage Windows, Linux, and other traditionally “IT” systems (located in either IT or OT networks) as a conduit to the ultimate target, urging defenders to focus on these conduits to avoid such an attack.

NNT’s Change Tracker Gen7 R2 solution focuses on establishing a known, trusted baseline and continuously monitoring for any changes made to that state by leveraging policies and best practices from trusted security experts like the Center for Internet Security (CIS) CIS Controls. Our second approach focuses on creating a closed-loop environment specific to “expected” changes, alerting you of changes that are not planned or map to an authored work order. By leveraging these two approaches, an approach NNT calls SecureOps™, industrial control system (ICS) assets owners are able to deliver continuous compliance and assurance to any standard, regulation or policy.

 

 

NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.
Portland
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.