TP-2017-0004 critical AI Draft A

TRITON / TRISIS Safety-System Attack

Date December 14, 2017
Attack Type Sabotage Sector Energy & Utilities
Geography Middle East
Threat Actor TsNIIKhM-linked Russian actors
Attribution A2
Confidence A

Summary

In 2017, attackers deployed TRITON, also known as TRISIS and HatMan, against safety systems at a Middle East-based energy-sector facility. Mandiant said the attackers gained remote access to a safety instrumented system engineering workstation and deployed malware designed to interact with Schneider Electric Triconex Tricon safety controllers. Some controllers entered a failed safe state, which automatically shut down the industrial process and led the asset owner to investigate.

TRITON is distinct from ordinary enterprise malware because it targeted the safety layer that helps keep industrial processes within safe operating limits. CISA, the FBI, and the Department of Energy later stated that Russian cyber actors tied to TsNIIKhM gained access to and used TRITON to manipulate a foreign oil refinery’s ICS controllers. Public sources do not identify the victim organization by name in the cited material, and they do not report physical damage or casualties from the 2017 shutdown.

Technical Analysis

TRITON was built to interact with Triconex Safety Instrumented System controllers through the TriStation protocol. Mandiant described the main executable as trilog.exe, a Py2EXE-compiled Python script that depended on a library archive containing standard Python libraries, open-source libraries, and attacker-developed components for Triconex controller interaction. CISA described the malware as including a custom Python script, four Python modules, and malicious shellcode with an injector and payload.

The malware could read and write programs, query controller state, and append attacker-provided payloads into controller memory and the execution table. MITRE ATT&CK describes TRITON as capable of halting or running a program through TriStation, triggering program download and program change APIs, detecting controllers over UDP broadcast on port 1502, and reading, writing, or executing code in the safety-controller firmware region.

CISA stated that TRITON affected Triconex Tricon safety programmable logic controllers by modifying in-memory firmware to add programming. That extra functionality allowed an attacker to read or modify memory contents and execute custom code, which could disable safety-system behavior. In the observed incident, Mandiant assessed that a validation failure between redundant processing units caused some controllers to fail safe and shut down the industrial process.

Attack Chain

Stage 1: Access to the Safety Engineering Workstation

Mandiant reported that the attacker gained remote access to an SIS engineering workstation. Public reporting in the cited sources does not provide enough detail to state the initial access vector.

Stage 2: Deployment of TRITON

The attacker deployed TRITON on the Windows-based engineering workstation. The executable name, trilog.exe, resembled a legitimate Triconex TriStation application used for log review.

Stage 3: Controller Interaction Through TriStation

The malware used attacker-developed Python modules to communicate with Triconex controllers through TriStation. The tool could check controller state, read configuration information exposed by the protocol, and pass payload files to communication libraries for insertion into controller memory.

Stage 4: Payload Placement in Controller Memory

Mandiant said the sample added an attacker-provided program to the Triconex controller execution table while leaving legitimate programs in place. CISA later described the malware as modifying in-memory firmware and enabling custom code execution on the safety controller.

Stage 5: Failed Safe State and Process Shutdown

Some SIS controllers entered a failed safe state after application code between redundant processing units failed a validation check. The shutdown surfaced the intrusion before public sources documented any resulting physical damage.

Impact Assessment

The confirmed operational impact was a shutdown of the affected industrial process. CISA stated that the 2017 TRITON use resulted in the refinery shutting down for several days. Mandiant reported that some SIS controllers entered a failed safe state, triggering an automatic process shutdown and prompting an investigation by the asset owner.

The potential impact was broader than the observed outage. Safety instrumented systems are designed to bring industrial processes back to a safe state when hazardous conditions arise. Mandiant assessed with moderate confidence that the attacker was developing the capability to cause a physical consequence, based on the choice to target the SIS and the capability to reprogram safety controllers.

The cited public sources do not report casualties, environmental damage, confirmed equipment damage, or a public financial loss figure for the 2017 event. CISA also stated that it had no information indicating that the same actors intentionally disrupted U.S. energy-sector infrastructure.

Attribution

Mandiant did not attribute the activity to a tracked actor when it publicly described the incident in December 2017. It assessed with moderate confidence that the actor was sponsored by a nation state, citing the safety-system target, absence of a clear monetary goal, and the resources needed to build and test the attack framework.

In March 2022, CISA, the FBI, and the Department of Energy linked the 2017 TRITON deployment to Russian cyber actors with ties to TsNIIKhM. The same advisory stated that a TsNIIKhM cyber actor was a co-conspirator in the 2017 deployment. This attribution is bounded to the public U.S. government statements and does not identify the victim organization by name in the cited material.

Timeline

2017 — TRITON Deployment and Process Shutdown

Attackers deployed TRITON against safety systems at a Middle East-based energy-sector facility. Some safety controllers entered a failed safe state and the industrial process shut down.

2017-12-14 — Mandiant Public Disclosure

Mandiant publicly described the TRITON malware and the safety-system incident, including the remote access to an SIS engineering workstation and the automatic shutdown caused by failed safe controller behavior.

2019-03-05 — CISA / DHS HatMan Analysis

CISA / DHS published the HatMan malware analysis, documenting TRITON components and controller-interaction behavior.

2022-03-24 — U.S. Government Energy-Sector Advisory

CISA, the FBI, and the Department of Energy published an advisory describing indicted Russian state-sponsored activity against the energy sector and linking the 2017 TRITON deployment to Russian actors tied to TsNIIKhM.

Remediation & Mitigation

Safety-system networks should be segmented from process-control and enterprise networks wherever technically feasible. Mandiant recommended that engineering workstations capable of programming SIS controllers should not be dual-homed to other process-control or information-system networks.

Organizations should restrict who can program safety controllers and should use hardware key-switch controls where available. Triconex controller keys should not remain in program mode outside planned programming events, and key-state changes should be covered by change-management and audit procedures.

Asset owners should use strict access control, application allowlisting, host logging, and network monitoring on systems that can reach safety controllers. CISA also recommends protocol filtering, risk-based patch management, centralized log review for critical ICS hosts, and avoiding unnecessary vendor device connections to ICS networks.

For Schneider Electric Triconex environments, defenders should review CISA and vendor guidance for TRITON-related mitigations and patches. Public sources state that Schneider Electric issued a patch for the attack vector described in the U.S. government advisory.

Sources & References

tritontrisishatmanindustrial-control-systemssafety-instrumented-systemstriconexenergy-sectoroperational-technology