C0030 Triton Safety Instrumented System Attack
Triton Safety Instrumented System Attack was a campaign employed by TEMP.Veles which leveraged the Triton malware framework against a petrochemical organization.1 The malware and techniques used within this campaign targeted specific Triconex Safety Controllers within the environment.3 The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.2
| Item | Value |
|---|---|
| ID | C0030 |
| Associated Names | |
| First Seen | June 2017 |
| Last Seen | August 2017 |
| Version | 1.0 |
| Created | 25 March 2024 |
| Last Modified | 17 November 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Groups
| ID | Name | References |
|---|---|---|
| G0088 | TEMP.Veles | 45 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1595 | Active Scanning | In the Triton Safety Instrumented System Attack, TEMP.Veles engaged in network reconnaissance against targets of interest.4 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.4 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | In the Triton Safety Instrumented System Attack, TEMP.Veles developed, prior to the attack, malware capabilities that would require access to specific and specialized hardware and software.5 |
| enterprise | T1573 | Encrypted Channel | In the Triton Safety Instrumented System Attack, TEMP.Veles used cryptcat binaries to encrypt their traffic.4 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.003 | Web Portal Capture | In the Triton Safety Instrumented System Attack, TEMP.Veles captured credentials as they were being changed by redirecting text-based login codes to websites they controlled.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | In the Triton Safety Instrumented System Attack, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files. |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.005 | Indicator Removal from Tools | In the Triton Safety Instrumented System Attack, TEMP.Veles modified files based on the open-source project cryptcat in an apparent attempt to decrease anti-virus detection rates.4 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | In the Triton Safety Instrumented System Attack, TEMP.Veles used tools such as Mimikatz and other open-source software.4 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | In the Triton Safety Instrumented System Attack, TEMP.Veles used Mimikatz.3 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | In the Triton Safety Instrumented System Attack, TEMP.Veles installed scheduled tasks defined in XML files.4 |
| ics | T0830 | Adversary-in-the-Middle | In the Triton Safety Instrumented System Attack, TEMP.Veles changed phone numbers tied to certain specific accounts in a designated contact list. They then used the changed phone numbers to redirect network traffic to websites controlled by them, thereby allowing them to capture and use any login codes sent to the devices via text message.1 |
| ics | T0807 | Command-Line Interface | In the Triton Safety Instrumented System Attack, TEMP.Veles’ tool took one option from the command line, which was a single IP address of the target Triconex device.5 |
| ics | T0872 | Indicator Removal on Host | In the Triton Safety Instrumented System Attack, TEMP.Veles would programmatically return the controller to a normal running state if the Triton malware failed. If the controller could not recover in a defined time window, TEMP.Veles programmatically overwrote their malicious program with invalid data.5 |
| ics | T0867 | Lateral Tool Transfer | In the Triton Safety Instrumented System Attack, TEMP.Veles made attempts on multiple victim machines to transfer and execute the WMImplant tool.4 |
| ics | T0828 | Loss of Productivity and Revenue | In the Triton Safety Instrumented System Attack, TEMP.Veles tripped a controller into a failed safe state, which caused an automatic shutdown of the plant, this resulted in a pause of plant operations for more than a week. Thereby impacting industrial processes and halting productivity.5 |
| ics | T0843 | Program Download | In the Triton Safety Instrumented System Attack, TEMP.Veles downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.5 |
| ics | T0886 | Remote Services | In the Triton Safety Instrumented System Attack, TEMP.Veles utilized remote desktop protocol (RDP) jump boxes, poorly configured OT firewalls 1, along with other traditional malware backdoors, to move into the ICS environment.31 |
| ics | T0853 | Scripting | In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.4 |
| ics | T0855 | Unauthorized Command Message | In the Triton Safety Instrumented System Attack, TEMP.Veles leveraged Triton to send unauthorized command messages to the Triconex safety controllers.3 |
| ics | T0859 | Valid Accounts | In the Triton Safety Instrumented System Attack, TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment.3 |
Software
| ID | Name | Description |
|---|---|---|
| S0002 | Mimikatz | 3 |
References
-
Blake Sobczak. (2019, March 7). The inside story of the world’s most dangerous malware. Retrieved March 25, 2024. ↩↩↩↩↩
-
Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021. ↩
-
Miller, S. Reese, E. (2018, June 7). A Totally Tubular Treatise on TRITON and TriStation. Retrieved November 17, 2024. ↩↩↩↩↩↩
-
FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. ↩↩↩↩↩↩↩↩↩
-
Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018. ↩↩↩↩↩↩