In October last year, US security companies FireEye, Dragos, and Symantec reported that the cyber attack at the Saudi petrochemical plant was related to a Russian research institute. The malicious program used by the attacker is designed to shut down the production process or to have the SIS-controlled machine work in an unsafe state. The security company named the malicious program Triton or Trisis. The attack on Saudi Arabia occurred in August last year and was previously thought to have been done by Iran. The attacker invaded Triconex, an industrial controller that safely operated Schneider’s equipment, which is used by 18,000 plants worldwide, including nuclear processing facilities. The attack almost caused the factory to explode. FireEye believes that the Russian government’s research institute, the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), participated in the attack. The malicious program deployed by the attacker contains information that points to the research institution.
Now, FireEye researchers have revealed attacks that exploit the same malicious program framework against a different critical infrastructure location. Similar to attacks against Saudi factories, attackers focus their resources on the operational technology of the plant.
The actor used multiple techniques to hide their activities, cover their tracks, and deter forensic examination of their tools and activities.
- They renamed their files to make them look like legitimate files, for example, KB77846376.exe, named after Microsoft update files.
- They routinely used standard tools that would mimic legitimate administrator activities. This included heavy use of RDP and PsExec/WinRM.
- When planting webshells on the Outlook Exchange servers, they modified already existing legitimate flogon.js and logoff.aspx files.
- They relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.
- They used multiple staging folders and opted to use directories that were used infrequently by legitimate users or processes.
- They routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them.
- They renamed their tools’ filenames in the staging folder so that it would not be possible to identify the malware’s purpose, even after it was deleted from the disk through the residual artifacts (e.g., ShimCache entries or WMI Recently Used Apps).
- They used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools.
After the target network gains a foothold, most of the tools used by attackers are mainly used for network reconnaissance. Once access to the controller, the attacker begins to concentrate on maintaining control. The newly discovered customization tools show the attacker’s interest in the safety of industrial facilities operations.