Software: Triton, TRISIS, HatMan
Jump to navigation Jump to search
|Triton, TRISIS, HatMan|
|Aliases||Triton, TRISIS, HatMan|
Associated Software Descriptions
- Change Operating Mode - Triton has the ability to halt or run a program through the TriStation protocol. TsHi.py contains instances of halt and run functions being executed.8
- Commonly Used Port - Triton framework can communicate with the implant utilizing the TriStation 'get main processor diagnostic data' command and looks for a specifically crafted packet body from which it extracts a command value and its arguments.7
- Detect Operating Mode - Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.8
- Detect Operating Mode - Triton contains a file named TS_cnames.py which contains default definitions for program state (TS_progstate). Program state is referenced in TsHi.py.8
- Engineering Workstation Compromise - Triton gained remote access to an SIS engineering workstation.1
- Execution through API - Triton leverages a reconstructed TriStation protocol within its framework to trigger APIs related to program download, program allocation, and program changes.7
- Exploitation for Evasion - Triton disables a firmware RAM/ROM consistency check after injects a payload (imain.bin) into the firmware memory region.394 Triconex systems include continuous means of detection including checksums for firmware and program integrity, memory and memory reference integrity, and configuration.10
- Exploitation for Privilege Escalation - Triton leverages a previously-unknown vulnerability affecting Tricon MP3008 firmware versions 10.0–10.4 allows an insecurely-written system call to be exploited to achieve an arbitrary 2-byte write primitive, which is then used to gain supervisor privileges.3
- Hooking - Triton's injector, inject.bin, changes the function pointer of the 'get main processor diagnostic data' TriStation command to the address of imain.bin so that it is executed prior to the normal handler.7
- Indicator Removal on Host - Triton would reset the controller to the previous state over TriStation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics.7
- Loss of Safety - Triton has the capability to reprogram the SIS logic to allow unsafe conditions to persist or reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard.1
- Masquerading - Triton was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.1
- Masquerading - Triton's injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon.3
- Modify Controller Tasking - Triton's "argument-setting" and inject.bin shellcode are added to the program table on the Tricon so that they are executed by the firmware once each cycle.37
- Native API - Triton's imain.bin payload takes commands from the TsHi.ExplReadRam(Ex), TsHi.ExplWriteRam(Ex) and TsHi.ExplExec functions to perform operations on controller memory and registers using syscalls written in PowerPC shellcode.7
- Program Download - Triton leveraged the TriStation protocol to download programs onto Triconex Safety Instrumented System.7
- Program Upload - Triton calls the SafeAppendProgramMod to transfer it's payloads to the Tricon. Part of this call includes preforming a program upload.8
- Remote System Discovery - Triton uses a Python script that is capable of detecting Triconex controllers on the network by sending a specific UDP broadcast packet over port 1502.3
- Scripting - Triton communicates with Triconex controllers using a custom component framework written entirely in Python. The modules that implement the TriStation communication protocol and other supporting components are found in a separate file -- library.zip -- the main script that employs this functionality is compiled into a standalone py2exe Windows executable -- trilog.exe – which includes a Python environment.3
- System Firmware - The malicious shellcode Triton uses is split into two separate pieces --
imain.bin. The former program is more generic code that handles injecting the payload into the running firmware, while the latter is the payload that actually performs the additional malicious functionality. The payload --
imain.bin-- is designed to take a TriStation protocol
get main processor diagnostic datacommand, look for a specially crafted packet body, and perform custom actions on demand. It is able to read and write memory on the safety controller and execute code at an arbitrary address within the firmware. In addition, if the memory address it writes to is within the firmware region, it disables address translation, writes the code at the provided address, flushes the instruction cache, and re-enables address translation. This allows the malware to make changes to the running firmware in memory. This allows Triton to change how the device operates and would allow for the modification of other actions that the Triton controller might make3
- Unauthorized Command Message - Using Triton, an adversary can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.1
The following groups use this software:
- Blake Johnson, Dan Caban, Marina Krotofil, Dan Scali, Nathan Brubaker, Christopher Glyer. (2017, December 14). Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. Retrieved January 12, 2018.
- Dragos. (2017, December 13). TRISIS Malware Analysis of Safety System Targeted Malware. Retrieved January 12, 2018.
- DHS CISA. (2019, February 27). MAR-17-352-01 HatMan—Safety System Targeted Malware (Update B). Retrieved March 8, 2019.
- Schneider Electric. (2018, January 23). TRITON - Schneider Electric Analysis and Disclosure. Retrieved March 14, 2019.
- Julian Gutmanis. (2019, March 11). Triton - A Report From The Trenches. Retrieved March 11, 2019.
- Schneider Electric. (2018, December 14). Security Notification - EcoStruxure Triconex Tricon V3. Retrieved August 26, 2019.
- Jos Wetzels. (2018, January 16). Analyzing the TRITON industrial malware. Retrieved October 22, 2019.
- MDudek-ICS. (n.d.). TRISIS-TRITON-HATMAN. Retrieved November 3, 2019.
- ICS-CERT. (2018, December 18). Advisory (ICSA-18-107-02) - Schneider Electric Triconex Tricon (Update B). Retrieved March 8, 2019.
- The Office of Nuclear Reactor Regulation. (n.d.). Triconex Topical Report 7286-545-1. Retrieved May 30, 2018.