SCADA Hacking: The Triton Malware Threat to SCADA/ICS Infrastructure

Cyberwar Hacking ICS SCADA Hacking

Welcome back, my aspiring SCADA cyber warriors!

SCADA/ICS infrastructure is under continuous threat. These systems are crucial to any nation’s economic health and well-being and are the primary target in any cyber war. These systems include the electrical grid, waster water systems, manufacturing, petrochemical refining, chemical processing and nearly any industrial process. If an adversary can knock out these systems, it can have a devastating effect on the nation’s economy and ability to defend itself from its adversaries.

As I outlined in my articles on Stuxnet and BlackEnergy3, the malware targeting the industrial sector continues to become increasingly more sophisticated. This latest threat to industrial infrastructure first appeared in December 2017 and was named Triton or Tritonex. On July 24, 2020, the US National Security Agency and the US Critical Infrastructure Security Agency (CISA) both warned of the danger to all nations’ infrastructure from this malware.

The malware exploits a security bug in Schneider Electric’s Triconex TriStation. Although this malware has been around since 2017, a new crop of bugs impact TriStation 1131, v1.0.0 to v4.9.0, v4.10.0, and 4.12.0, operating on Windows NT, Windows XP or Windows 7; and Tricon Communications Module (TCM) Models 4351, 4352, 4351A/B, and 4352A/B installed in Tricon v10.0 to v10.5.3 systems

žThe critical bug (CVE-2020-7491) is an improper access control flaw: “A legacy debug port account in TCMs installed in Tricon system Versions 10.2.0 through 10.5.3 is visible on the network and could allow inappropriate access.” This developers left a debug port in place on the production systems that enables attackers to control and upload their own logic that controls these key safety systems. Once again, Schneider Electric is guilty of gross negligence in the development of these crucial products (see our exploitation of the Schneider Electric SAS system here).

What is Triton/Triconex

žTriton or Tritonex is malware first discovered at a Saudi Arabian petrochemical plant in December, 2017. This malware attacks the Schneider Electric Safety Instrumented System (SIS). These systems are designed to protect humans, industrial facilities and the surrounding communities by controlling or shutting down industrial facilities in the event of unsafe conditions. In essence, these SIS systems are a safeguard against industrial disasters.

For instance, consider a circumstance where the pressure within a pipe or vessel becomes dangerously high. The SIS system is intended to detect such a condition and activate pressure relief valves to eliminate the dangerous condition, thereby, averting a disaster.

žTriconex is both the name of a Schneider Electric brand that supplies these products, systems and services for safety, critical control and turbo-machinery applications AND the name of its hardware devices that utilize its TriStation application software.

According the Schneider Electric, these Triconex products are based on patented Triple Modular Redundancy (TMR) industrial safety-shutdown technology. Today, Triconex TMR products operate globally in more than 11,500 installations, making Triconex the largest TMR supplier in the world.

Attribution

Although attribution is always a tricky exercise, FireEye reported that the malware most likely came from the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a research entity in Russia.

žAttackers there gained remote access to an SIS (Safety Instrumented System) controllers engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers. In this way, the controllers can be disabled or programmed to miss such unsafe conditions they are designed for.

Finding Triton Systems

There are over 11,000 of the Triton SIS systems around the world meaning that they are distributed to nearly every nation and type of industrial facility. We can easily find some of these facilities using Censys. As you can see below, here is facility in the state of Kansas in the US utilizing this vulnerable SIS system.

Summary

SCADA/ICS systems are the primary target in any cyber war attack. Both Stuxnet and Blackenergy3 were effective SCADA/ICS attacks in the name of cyber warfare. The Triton/Triconex presently attacking critical infrastructure is just the latest in a long line of SCADA/ICS attacks. It is crucial that cyber security engineers understand and protect against such attacks. Unfortunately, most cyber security engineers are totally unaware of the threat to and the dynamics of these systems. To learn more about SCADA/ICS cybersecurity, see our series on SCADA Hacking or attend our SCADA Hacking and Security training.