Skip to content

S1009 Triton

Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.1327564

Item Value
ID S1009
Associated Names
Type MALWARE
Version 1.0
Created 26 March 2019
Last Modified 23 November 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
ics T0858 Change Operating Mode Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed. 10
ics T0885 Commonly Used Port Triton uses TriStations default UDP port, 1502, to communicate with devices. 10
ics T0868 Detect Operating Mode Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.10
ics T0871 Execution through API Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes. 4
ics T0820 Exploitation for Evasion Triton disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region. 2 8 7 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration. 9
ics T0890 Exploitation for Privilege Escalation Triton leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.010.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges. 2
ics T0874 Hooking Triton‘s injector, inject.bin, changes the function pointer of the ‘get main processor diagnostic data’ TriStation command to the address of imain.bin so that it is executed prior to the normal handler. 4
ics T0872 Indicator Removal on Host Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. 4
ics T0880 Loss of Safety Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state while using the DCS to create an unsafe state or hazard. 1
ics T0849 Masquerading Triton‘s injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. 2
ics T0821 Modify Controller Tasking Triton‘s argument-setting and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle. 2 4
ics T0834 Native API Triton‘s imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode. 4
ics T0843 Program Download Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System. 4
ics T0845 Program Upload Triton calls the SafeAppendProgramMod to transfer its payloads to the Tricon. Part of this call includes preforming a program upload. 10
ics T0846 Remote System Discovery Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502. 2
ics T0853 Scripting Triton communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file – library.zip – the main script that employs this functionality is compiled into a standalone py2exe Windows executable – trilog.exe which includes a Python environment. 2
ics T0869 Standard Application Layer Protocol Triton can communicate with the implant utilizing the TriStation ‘get main processor diagnostic data’ command and looks for a specifically crafted packet body from which it extracts a command value and its arguments. 4
ics T0857 System Firmware Triton is able to read, write and execute code in memory on the safety controller at an arbitrary address within the devices firmware region. This allows the malware to make changes to the running firmware in memory and modify how the device operates. 2

Groups That Use This Software

ID Name References
G0088 TEMP.Veles 12

References

  1. Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer 2017, December 14 Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure Retrieved. 2018/01/12  

  2. DHS CISA 2019, February 27 MAR-17-352-01 HatManSafety System Targeted Malware (Update B) Retrieved. 2019/03/08  

  3. Dragos 2017, December 13 TRISIS Malware Analysis of Safety System Targeted Malware Retrieved. 2018/01/12  

  4. Jos Wetzels 2018, January 16 Analyzing the TRITON industrial malware Retrieved. 2019/10/22  

  5. Julian Gutmanis 2019, March 11 Triton - A Report From The Trenches Retrieved. 2019/03/11  

  6. Schneider 2018, December 14 Security Notification EcoStruxure Triconex Tricon V3 Retrieved. 2019/03/08  

  7. Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14  

  8. ICS-CERT 2018, December 18 Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B) Retrieved. 2019/03/08  

  9. The Office of Nuclear Reactor Regulation Schneider Electric 2018, January 23 TRITON - Schneider Electric Analysis and Disclosure Retrieved. 2019/03/14 Triconex Topical Report 7286-545-1 Retrieved. 2018/05/30  

  10. MDudek-ICS TRISIS-TRITON-HATMAN Retrieved. 2019/11/03  

  11. Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021. 

  12. Dragos, Inc.. (n.d.). Xenotime. Retrieved April 16, 2019.