FBI PIN TLP White: TRITON Malware Remains Threat to Global Critical Infrastructure Industrial Control Systems (ICS)

The FBI is warning that the group responsible for the deployment of TRITON malware against a Middle East–based petrochemical plant’s safety instrumented system in 2017, the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), continues to conduct activity targeting the global energy sector. This warning follows the 24 March 2022 unsealing of a US indictment of a Russian national and TsNIIkhM employee involved in that attack. TRITON was malware designed to cause physical safety systems to cease operating or to operate in an unsafe manner. Its potential impact could be similar to cyberattacks previously attributed to Russia that caused blackouts in Ukraine in 2015 and 2016.

TRITON malware targeted the Schneider Electric Triconex safety instrumented system (SIS), which is used to initiate safe shutdown procedures in the event of an emergency. TRITON malware affected Triconex Tricon safety controllers by modifying in-memory firmware to add additional programming, potentially leading to damage of a facility, system downtime, and even loss of life should the SIS fail to initiate safe shutdown procedures. Schneider Electric addressed the vulnerability (with the Tricon model 3008 v10.0-10.4) when version  11.3 of the Tricon controller was released in June 2018; however, older versions of the controller remain in use and are vulnerable to a similar attack. As a result, the FBI is alerting the ICS community of continued activity by this group and requests that any indicators of potential compromise be reported to the FBI.

Threat

In June and again in August 2017, TRITON malware (also known as TRISIS and HatMan) was used against a Middle East–based petrochemical facility’s safety controllers. The US Government has publicly attributed TRITON malware to TsNIIKhM, a Russian government-controlled research institution that supports the Russian armed forces with advanced research, weapons, and cyber capabilities.

TRITON malware was designed to target a specific SIS controller model, with a specific firmware version, running a small range of specific versioned firmware, and used in critical infrastructure facilities to initiate immediate shutdown procedures in the event of an emergency. For more information on affected equipment and TRITON malware, see CISA ICS Advisory Schneider Electric Triconex Tricon (Update B) and CISA Malware Analysis Report (MAR) HatMan - Safety System Targeted Malware (Update B).

In the 2017 attack, the actor gained initial access and then moved laterally through the information technology (IT) and operational technology (OT) networks onto the safety system and installed TRITON malware. This provided the actor access to and control of Schneider Electric’s Triconex devices used in the facility’s ICS safety system. The facility automatically entered a safe state after several of the Triconex ICS safety controllers detected an anomaly, caused by software bugs in the TRITON malware. The subsequent investigation of the shutdown revealed the attacker’s presence and the malware itself. The facility’s automatic shutdown and detection of malware prevented the cyberattack from reaching its full capabilities.

TRITON malware’s design gave the attackers complete remote control of the SIS, providing them the capability to cause significant physical damage and loss of life if the plant were to enter an unsafe state, according to investigations and analysis that followed the event. After the August 2017 cyberattack, the actors again obtained unauthorized access to a file server to collect information on how the facility responded to the incident.

The TRITON attack represented a notable shift in ICS targeting as the first attack designed to allow physical damage, environmental impact, and loss of life in the event of a plant’s running in an unsafe condition. Critical infrastructure asset owners and operators should be mindful of the risks posed to SIS regardless of vendor, as these safety systems will likely continue to be targeted by sophisticated cyber actors.

Russian cyber actors have previously conspired to deploy malware and take other disruptive actions for the strategic benefit of Russia through unauthorized access to victim computers and ICS. These cyberattacks used some of the world’s most destructive malware to date, including KillDisk and Industroyer, which each caused blackouts in Ukraine in 2015 and 2016, respectively. Russian cyber actors have also deployed non-disruptive malware, such as Havex, which enables the actors to return to compromised and otherwise vulnerable ICS devices for future espionage purposes.
For additional information on the TRITON malware attack, see the FBI PIN titled Unattributed Cyber Actors Exploiting Internet-connected ICS/SCADA Systems, PIN 20180614-001.

For more information on Russian state-sponsored malicious cyber activity, see cisa.gov/uscert/Russia.

View the detailed report below.