A sophisticated Russian hacking group linked to an attempt to blow up a Saudi oil plant has been discovered inside a second critical infrastructure (CNI) facility, security researchers have warned.
The Triton group has been active since 2014, and uses dozens of custom and commodity tools to gain access to and maintain persistence inside IT and OT networks of CNI firms, according to FireEye.
The security vendor didn’t elaborate on the location or even type of CNI firm targeted in this second attack, although it emphasized that campaigns can require months or even years of careful planning, to install malware like Triton, hide it and maintain persistence until the time is right to strike.
“This attack was no exception. The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritize operational security,” FireEye explained.
“After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.”
Obfuscation techniques used by the gang included: renaming files to look legitimate; using regular admin tools like RDP and PsExec/WinRM; using encrypted “SSH-based tunnels” to transfer tools and remote execution; and routine deletion of attack tools, execution logs, files staged for exfiltration, and so on.
The aim was to deliver the Triton malware on the SIS workstation, although it’s not clear if the ultimate goal was destruction or sabotage, as per the last major reported incident involving the group.
FireEye urged ICS managers to use the detection rules and other information in its report to hunt for presence of the group inside their facilities.
It’s claimed that the only thing preventing a major explosion at the Saudi petrochemical plant was a bug in the attackers’ code.