Trisis ICS malware was publicly available after attack

The Trisis ICS malware used in a cyberattack on an oil and gas company in Saudi Arabia in December has been publicly available for weeks after being copied by unknown actors.

The malware used in an industrial control system attack in December has been found circulating publicly on the internet after being copied from an online database.

The Trisis industrial control system (ICS) malware was first disclosed by FireEye's Mandiant threat research team on Dec. 14, 2017, after an attack on an unknown organization. The malware specifically targeted the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric, and it has been called either Triton or Trisis because of this.

One week after the initial reveal by Mandiant, Schneider Electric reportedly posted a file containing sensitive pieces of the Trisis malware framework to VirusTotal -- an antivirus scan database owned by Google -- on Dec. 22. CyberScoop, which first reported the story, said Schneider Electric quickly received a notice to remove the file from VirusTotal. But before the file could be removed, it had already been copied and reposted to other code repositories, like GitHub. And it has been freely available ever since.

Although Schneider Electric accidentally posting the Trisis framework by itself would not be enough to re-create the ICS malware, the main Trisis executable, Trilog.exe, had also been published.

Paul Brager Jr., technical product security leader at Houston-based Baker Hughes and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said, "It is highly conceivable that variants of Trisis could surface that are tailored toward control systems by Siemens, Rockwell Automation, Honeywell or other digital industrial manufacturers." 

"Because most control environments are not homogenous, patching one series of vulnerabilities for a particular manufacturer does not necessarily lessen the exposure to the infrastructure from something like Trisis, or a variant therein," Brager told SearchSecurity. "What we are seeing is an effort to engage control systems not only at the constituent components, but the underlying systems that seek to manage those control environments. Just as Trisis was written to target a specific Schneider SIS, there is nothing preventing nation-state actors with the means and resources to refashion Trisis to target any SIS or other ICS subsystem with vulnerabilities that can be exploited."

Eddie Habibi, founder and CEO of PAS Global, an ICS cybersecurity company headquartered in Houston, said the problem is "there are two speeds in ICS cybersecurity: industry speed and hacker speed." 

"Hackers can move much more quickly than industry. Industry may not patch a system for months or ever, depending on assessed risk," Habibi told SearchSecurity. "Although this may sound ominous, industry does have safeguards in place that protect reliability and safety. The problem is that hackers are learning more about these systems and how to manipulate them, as we saw in the Trisis attack."

Bryan Singer, director of industrial cybersecurity services at IOActive, a cybersecurity company headquartered in Seattle, said the threat of Trisis being repurposed may not have sunk in with organizations.

"Wake-up calls haven't woke [sic] anybody up. In watershed moments such as Equifax, Target and Triconex, everyone freaks out, but doesn't do anything," Singer told SearchSecurity. "We'll see a lot of the same here -- people like to dismiss the threat and think it won't happen because they're not being targeted. IT proves this completely untrue. There are far too many attack mechanisms to say it won't happen to us."

ICS patching issues

Experts noted if organizations don't fully recognize the threat, it may be even more difficult to harden security because of the inherent differences in patching ICS.

People like to dismiss the threat and think it won't happen because they're not being targeted. IT proves this completely untrue.
Bryan Singerdirector security services at IOActive

Brager noted patching in ICS environments can be especially tricky, as "many of the components, applications and services are proprietary and highly interdependent."

"Because of the critical process potential of ICS systems and their components, significant testing is usually required to ensure that an applied patch yields an expected outcome and does not interfere with, or degrade in any fashion, the operations of the control system," Brager said. "This requirement and diligence typically extends out the patching cycle within [operational technology (OT)] environments -- often months -- and ultimately depends on the ability to patch and the resource availability to do so."

Emily Miller, ‎director of national security and critical infrastructure programs at San Francisco-based Mocana Corp., and formerly the chief of process management for the Department of Homeland Security ICS Cyber Emergency Response Team, said the flaws that allowed the Trisis attack were not an inherent vulnerability in the device, but "due to poor cyber hygiene."

"In operational environments, patching is tricky business. Remember, in OT, we're talking about devices that control physical processes that can impact lives, not just bits and bytes of data," Miller told SearchSecurity. "Quickly patching devices, as you would expect to see in an IT environment, can have real, catastrophic consequences in an operational environment."

ICS defense

Brager said, traditionally, ICS systems are kept isolated from external networks, but growing interconnectivity is making security more difficult.

"For many years, ICS environments were largely thought to be physically and logically isolated from other networks and/or environments. Connectivity was largely a function of interconnected buses and short-run links that allowed communication through a closed-loop architecture," Brager said. "Network enablement of components within ICS expanded the threat landscape exponentially, as systems that were not originally designed to be internet- [or] network-facing suddenly were -- and the facilities needed to patch these devices were largely immature and arduous."

Habibi agreed isolating ICS is no longer a sufficient security strategy.

"After years of reconnaissance, the bad guys have shown they can penetrate those defensive layers, bridge the illusory air gap and take deliberate control over process. CRASHOVERRIDE did not need a vulnerability to bring down power in the Ukraine -- only ICS and process knowledge that had been built over time," Habibi said. "A successful Trisis-like attack, under certain circumstances, can lead to a catastrophic accident. Consider a scenario where a skilled malicious attacker breaches a Triconex system, which is designed to safely shut down a reactor in a fluid catalytic cracking unit in a refinery, by bypassing the trip function. This simple change could act as a time bomb and remove the fail-safe that ultimately protects the plant from a catastrophic event."

Miller said the Trisis attack is "more evidence that we need to start approaching this problem differently." 

"Rather than continuing to chase vulnerabilities and trying to implement an IT approach to OT security, we should instead think about how we can make critical devices inherently secure and more difficult for hackers to gain access," Miller said. "Without access to an ICS device, hackers cannot begin to take advantage of a vulnerability. Certainly, defense in depth methodologies and good cyber hygiene are a part of the solution, but what happens when those techniques fail, and the actors can remotely access a device and potentially manipulate it?"

Dig Deeper on Threats and vulnerabilities