Triton Malware. The first Cyber Terrorist attack.

This is a case study regarding the Triton malware attack that was executed against a company known as SABIC, and is owned by Saudi Aramco, the largest producer of oil globally.

Wyatt Black

4/7/20258 min read

A company known as SABIC, is 70% owned by Saudi Aramco, and they produce more petroleum based products than anyone on earth - for auto manufacturers, medical supplies, and more. Whether we know it or not, we've all used a SABIC product. This story is of the chemical plant that they have, and the controls that were destroyed, in the first act of cyber terrorism ever discovered, and how it could have been prevented by Sentinel AI Security. More information can be found at this link. https://en.wikipedia.org/wiki/Triton_(malware)

OT is operational technology, controlling SCADA devices, which control industrial devices like safety devices, HVAC, and other industrial controls. OT devices exist in a large part in a facility like this, and are generally ubiquitous, meaning that they are everywhere. SIS, safety instrumented systems trigger shutdown, and the company used for this system type is known as Schneider Electric, creating Triconex controllers.

This incident started in June, 2017. One emergency shutdown system malfunctioned and triggered an alert on multiple systems. They called the manufacturer to see if there was an issue. Schneider Electric came to inspect, and they found nothing wrong. The plant came back online. They didn’t look in the right place. August 4th, 2017 at 8:30 pm.The SIS system alarm was triggered, and the safety system shut down the plant. A dangerous condition was detected with the sulfur safety system.

Someone needed to be present to a safety controller to make changes, and a key was needed to be inserted into the system, and needed to be set to program. Configuration changes can be made at that point, allowing for different configurations to be sent. At this point it was found that someone had left 6 keys in program state in different controllers, allowing for changes to be made by anyone at those computers. This allowed for a major compromise to take place. No authorized changes were scheduled this late in the evening, and on a weekend. Operators had been seeing alerts, but they were clearing the alerts due to not caring to check on the system. The configuration was sent, and triggered an alert, causing a failure state, and thereby causing a reboot. Plant was then shut down. It was now 6 controllers that were causing the plant to shut down. The onsite team investigated, and found that there was an unauthorized RDP session opened. An unknown actor gained access to push configuration changes to computers to cause the plant to shutdown.

They called for additional help, as the current crew was not equipped or knowledgeable enough to solve the issue. It could have been mechanical failure or computer failure. They were seeing strange logins on a Friday night, of all nights. A team was assembled, and they went out to fix the issue, and see if they could make a discovery on the person responsible, as there seemed to be no way that it was an outside attack, given that the whole network was protected, and their cybersecurity controls were extensive. They were emergency responders who could do forensics to find the source of the issue. The following day they arrived.

The system malfunctioned and shut down. Upon arriving at the security desk, it ended up shutting down due to the incident. The first thing they did when they arrived was interview people to get lay of the land. Safety controllers shut down and caused a shutdown of the plant in its entirety.

It was found to be in some embedded systems, so getting info was difficult as they were not windows or linux. Discrepancies between input and output data was key information here as it said that different software files were present that shouldn’t have been. They initially thought it was a remote attack. They investigated engineering workstations, looking for diagnostic and forensic images that would tell about plant shutdowns and the incidents that caused them. Malware was found in the HP folder in the system, and they had no HP computers or printers on site. What was found in the folder was a python .dll file.

H2S was a major concern for the facility. It can be instant death, as it is hydrogen sulfide. Corrosive, flammable, poisonous. The system affected was responsible for shutting down the plant if H2S was at unsafe levels, and was compromised by malware. The company wanted to start the plant back up, as it was down for a week, and it was expensive to keep the plant shut down.

Investigators wanted to confirm it was an insider threat. They identified controllers, found issues with triconex, and found an RDP (remote desktop protocol) session. They began by taking a snapshot of event logs, running processes, running connections, etc. Two files were found. Trilog.exe and library.zip were found that pushed configurations to the engineer’s computers, allowing for the attack. Binary files were found that caused the outage.

They began looking for a person to attribute the attack to, and found that the files were coming through a rogue jump box in the DMZ (de-militarized zone) in the network, using a gap between the DMZ and the VPN. An external party was found to be logged into the system, and had found a list of safety controllers that were left in the program state.

The malware found was some of the most sophisticated malware ever seen, and had not been seen previously. When examined further at a later date, the malware was gone. Someone had deleted it. It was lucky that they had taken snapshots of the system that they did. These systems were still behaving in the same manner as they had before, as the malware was set to run in the RAM (random access memory), and would have been cleared after every restart of the system. These systems would often go for decades without a restart, as they were imperative to the plant running at all hours for as long as possible. It was a 24 hour operation.

Here, they found that they were dealing with an advanced persistent threat. Potentially a nation state actor, or someone sponsored by a foreign government to perpetrate the attack. A new group was sent to finish up the work, but the original group still had much work to do.

A company known as Fire Eye was sent to complete the investigation and run clean up efforts. The team sent specialized in OT devices, and in industrial controls. Little did anyone know how much their skillset was valued.

What they discovered was that there were some function names on the end of each file found on the SIS systems. These function names were .ext, which was thought to indicate that it was an external threat, but it was later found, once they discovered that the safety board was connected to the engineering computers, that .ext stood for extended. This allowed the hackers to write extended amounts of code to the systems, effectively re-programming them to ignore safety rules, and function opening and closing the valves on the sulfur control systems.

This allowed them to potentially flood the entire facility with H2S gas, which, as mentioned earlier, was deadly. It was poisonous, flammable, and could cause issues with an individual's nervous system, rendering them unable to smell when the gas was present. At the point where it affects a nervous system to the point where someone can no longer smell, death is guaranteed.

This attack was designed to cause destruction by allowing the plant to operate in an unsafe state while ignoring safety controls, potentially causing loss of life, and loss of the plant itself. This could cause the control valve for H2S to open and tell safety control systems to ignore the issue. One spark could cause an explosion. This was the first documented case of cyber terrorism ever found, and would do nothing but hurt many individuals. There was no financial gain that could be realized through this attack, and could only cause the destruction of a facility, and massive loss of life.

The malware was called Triton. It was sophisticated, and sat in the memory, requiring a packet to trigger it that was expected to come through, given the type of data that was handled related to safety. It was discovered that the hackers had unlimited resources, leading to this being a nation state sponsored attack. The hacking skills leveraged were beyond the resources of any person or group previously documented. It had the hallmarks that had become known of the virus called Stuxnet, which was designed to destroy the nuclear enrichment capabilities of Iran.

Someone started leaking info. The US government got information related to the attack, and someone leaked info to VirusTotal and got back nothing, as it was unknown. This landed the information into the hands of every premium user of the site. This meant that the virus was now everywhere, and anyone could commit an act of cyber terrorism.

The Department of Homeland Security was advised. This was the first instance of SIS malware discovered in the real world. The US government got involved. It was initially suspected that the attackers were from Iran, operating a nation sponsored attack. Other reports suggested it was Russia. The Central Institute of Chemistry and Mechanics in Moscow was suspected. Labs often have cybersecurity divisions, as studying cyber threats related to their technologies is required in the world we live in today to investigate the security of critical infrastructure. It was discovered that the IP address came from Russia. Moscow, specifically, which was exactly where The Central Institute of Chemistry and Mechanics is. The same IP address did recon on other plants and had other investigations into it for other suspicious activity.

This malware attack was extreme, and the toll it could have exacted would have been catastrophic. There was no way of discovering the exploit prior to this event happening, and the company involved did everything as correctly as possible, given the situation. Personally, I couldn’t think of any way to handle it as such without proper hindsight, and I have been involved in cybersecurity for a number of years. This incident was handled perfectly, as far as the constraints they had.

Sentinel AI Security can act as a massive barrier in situations like this, preventing issues arising from failed safety control systems that manage air flow and air quality. H2S gas is 19% more dense than air, and with our systems, it can be detected regardless of safety control systems or their failure. We would act as a primary defense, secondary defense, and final defense for the detection of hazardous gasses.

Our technology uses wireless signal, or Wi-Fi, to detect any disturbances in the signal. We then push all of that data into an AI program that can map out a facility from top to bottom, and detect changes in the facility. This technology can be made so sensitive that it can recreate the sound of a single instrument from an orchestra and replay that sound back perfectly using only acoustic disturbances in the air. This same level of sensitivity will allow us to find disturbances in the air quality of a surveyed area. The density of the gas would be easily detected in contrast to a room filled with atmospheric air.

This incident couldn’t have been avoided. A nation state attack using a zero day exploit is the worst case scenario for any business, but the main concern of the responding individuals was that the air they were breathing was toxic, and could have led to their deaths, as it was a working environment with the plant still operational. Another obvious concern was that of the other employees on the site. Their lives were at stake, and this whole portion of the scenario could have easily been avoided, and safety measures could have been maintained, leading to a similar outcome without the risk of casualties like there were in this scenario.

It was nearly a week into the situation that the issue was discovered and remediated. This week was a long, arduous, and stressful time for all those involved, as the hazard was present throughout the entire endeavor. With proper safety protocols agnostic of any embedded systems, any facility can maintain safety and not have concern of death looming over them. Sentinel AI Security provides the best defense against hazards on earth, and we strive for perfection in any situation.

Sources:

https://www.zmescience.com/feature-post/technology-articles/computer-science/wifi-router-sees-people-through-walls/

https://en.wikipedia.org/wiki/Triton_(malware)

Interviews with responders to incident:

https://darknetdiaries.com/episode/68/

Cyber Terrorism and Sentinel AI Security