Open Hunting - Threat Library

Openhunting Threat Library

Triton

Triton, TRITON, Trisis, TRISIS, HatMan

(Type: ICS malware, Reconnaissance, Backdoor, Downloader, Info stealer, Remote command)

(FireEye) The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. However, only some of these capabilities were leveraged in the trilog.exe sample (e.g. the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities). The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.

[News Analysis] Trends:

Total Trend: 19

Trend Per Year

2017

2018

2019

2020

2021

2022

Trend Per Month

Dec 2017

Jan 2018

Apr 2018

Aug 2018

Oct 2018

Mar 2019

Apr 2019

Aug 2019

Oct 2020

Dec 2020

Feb 2021

Mar 2022

Apr 2022

Jul 2022

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

1/113

privilege escalation

1/96

defense evasion

0/184

credential access

0/63

discovery

0/44

lateral movement

0/22

collection

0/37

command and control

0/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.002 Scheduled Task/job : At	T1053.002 Scheduled Task/job : At	T1053.002 Scheduled Task/job : At

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers

2022-07-26 by Thibault van Geluwe de Berlaere from Mandiant

AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

2022-04-20 by CISA from CISA

Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

2022-04-20 by CISA from CISA

Alert (AA22-083A) Tactics, Techniques, and Procedures of Indicted State-Sponsored Russian Cyber Actors Targeting the Energy Sector

2022-03-24 by US-CERT from CISA

PIN Number 20220324-001 TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS)

2022-03-24 by FBI from FBI

Visibility, Monitoring, and Critical Infrastructure Security

2021-02-11 by Joe Slowik from DomainTools

Russian cyber attack campaigns and actors

2020-12-21 by Adam Hlavek from IronNet

Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware

2020-10-23 by U.S. Department of the Treasury from U.S. Department of the Treasury

APT trends report Q2 2019

2019-08-01 by GReAT from Kaspersky Labs

TRISIS / TRITON / HatMan Malware Repository

2019-04-10 by Marcin Dudek from Github (ICSrepo)

The inside story of the world's most dangerous malware

2019-03-07 by Blake Sobczak from E&E News

TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers

2018-10-23 by FireEye Intelligence from FireEye

TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever

2018-10-01 by Andrea Carcano from SANS Cyber Summit

TRITON: The First ICS Cyber Attack on Safety Instrument Systems

2018-08-08 by Alessandro Di Pinto from Nozomi Networks

MAR-17-352-01 HatMan - Safety System Targeted Malware (Update A)

2018-04-10 by NCCIC from NCCIC

Analyzing the TRITON industrial malware

2018-01-16 by Jos Wetzels from Midnight Blue Labs

Malware Analysis Report on Hatman

2017-12-18 by NCCIC from NCCIC

Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure

2017-12-14 by Blake Johnson from FireEye

TRISIS Malware: Analysis of Safety System Targeted Malware

2017-12-13 by Dragos from Dragos

Basic Information (Credit @etda.or.th)

Tool: Triton

Names: Triton, TRITON, Trisis, TRISIS, HatMan

Description: (FireEye) The TRITON attack tool was built with a number of features, including the ability to read and write programs, read and write individual functions and query the state of the SIS controller. However, only some of these capabilities were leveraged in the trilog.exe sample (e.g. the attacker did not leverage all of TRITON’s extensive reconnaissance capabilities). The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.

Category: Malware

Type: ICS malware, Reconnaissance, Backdoor, Downloader, Info stealer, Remote command

Information: https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

Information: https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

Information: https://dragos.com/blog/trisis/TRISIS-01.pdf

Information: https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf

Information: https://github.com/ICSrepo/TRISIS-TRITON-HATMAN

Information: https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html

Information: https://blogs.cisco.com/security/how-does-triton-attack-triconex-industrial-safety-systems

Mitre-attack: https://attack.mitre.org/software/S0609/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.triton

Last-card-change: 2022-12-30

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.	T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.	T1053.002 SCHEDULED TASK/JOB : AT at can be used to schedule a task on a system to be executed at a specific date or time.