Bringing cybersecurity globally to critical and complex key activities
ATK91 (aka: TRITON Group, Xenotime) is known for the Triton malware. Triton is an attack framework allowing the manipulation of Security Systems Industrial Control Systems (ICS) of critical infrastructures discovered at the end of 2017 when it has caused an accidental shutdown of the machines. FireEye has awarded the development of TRITON to a Muscovite research institute linked to the Russian government. The attacker's tools and TTPs indicate that he has prepared to conduct operations that can last several years and require a long preparation. In the 2017 attack, the group compromised the target's network almost a year before reaching the SIS (Safety Instrument System). During this period, priority seems to have been given to safety operational. His lack of "curiosity" during the operation may indicate that the attacker is waiting for something before acting visibly.
Triton is a highly sophisticated malware for manipulating the Industrial Control Systems (ICS) of critical infrastructures discovered at the end of 2017. It is difficult to definitively determine the motivation behind this campaign. According to several observers, the main objective of the campaign was to test the tools and refine the techniques.
It should be noted that according to Dragos, the ATK91 (Xenotime) group is probably one of the most dangerous groups known to date, since it attacks industrial security systems almost exclusively with destructive intent resulting in loss of life. The Thales Cyber Threat Intelligence team shares this observation. Certainly, in its Cyber Threat Handbook of the 66 most dangerous attackers in the world, the Centre for Technical Threat Analysis ranks the group only 30th with a score of 59 out of 100. This score means above all that the group does not represent a global threat to date, as it is extremely specialized and is not yet operational to our knowledge. However, the motivation and the technical level reached by ATK91 (Xenotime), to compromise industrial control systems, makes it a formidable attacker whose attacks can have serious consequences on the security of people and infrastructures.
This initial attack on Saudi interests by a group whose origin appears to be Russian is taking place in an unusual international context. It should be recalled that since the end of 2017, Russia and Saudi Arabia have been moving closer together on the diplomatic front. However, if we look at the sector targeted, namely oil, we must remember that since 2014 and the annexation of Crimea, pressure from the West on Russia has been added to the fall in world oil prices, which has plunged Russia into a recession. To stimulate investment, the Kremlin had to find capital and foreign exchange. For this reason, Russia has moved closer to Saudi Arabia, whose alliance with the United States had weakened under the Obama era in the alder of the Iranian nuclear agreement, supported by the former US President. On 1 January 2017, the two countries decided to reduce oil production volumes to 1.8 million barrels/day in order to increase the price of black gold. The attack on Triton at the end of 2017 took place 9 months later, when King Salman travelled to Moscow (November 2017) to prepare for the next OPEC+ meeting, which was supposed to lead to a further reduction in production after March 2018. Nevertheless, the last 9 months have been marked by two important events that have redefined everyone's interests. The change in US position in favor of Saudi Arabia during the Trump era by denouncing the Iranian nuclear agreement and the Gulf crisis of June 2017, which increased tension between the Kingdom and its Shiite alter ego, weakened relations between Russia and the Saudis. After the meeting of the two leaders and the attack on Saudi Arabia that paralyzed its oil company, Triton launched new attacks in 2018 in the Middle East region and against the United States. Good relations between Saudi Arabia and Russia were reconfirmed in the second week of June 2018, when Saudi Arabia and Russia agreed to stabilize oil prices at an average level of 75 dollars per barrel, while King Ben Salman and President Putin were meeting in Moscow for opening the Football World Cup, which took place on the 14th.
It should be noted that according to Dragos, the Triton group (Xenotime) is undoubtedly one of the most dangerous groups known to date since it attacks industrial security systems almost exclusively with destructive intent involving loss of human life.
At the end of 2017, an oil and gas facility in Saudi Arabia experienced downtime due to an infection with a strain of malware capable of interfacing with the facility's industrial control systems. The malware was targeted at Schneider's Triconex instrumented security system. Access to the system was achieved in the classic way with phishing and hacking of the ID by changing the telephone number to receive the SMS message giving the administrator password. The group then compromised a system administrator workstation, after having laterally crossed the demilitarized zone constituting the airlock between the IT and OT network. The identifiers were then used to access and compromise the SIS controllers. The controllers were placed in "Program Mode" during their operation, allowing the attackers to reprogram them. The attackers stayed for almost a year in the Triconex system engineering station. It was from this starting point that they were able to send a Trojan horse to infect the memory of the SIS controllers via a zero-day operation allowing a privilege upgrade. From that point on, the attacker had complete control of the plant. One year after the intrusion, on June 3, 2017, ATK91 (Xenotime) went into attack mode. Quickly, the procedure for securing the petrochemical plant was triggered and the temperature and pressure began to drop. The machines stopped in emergency. Two months later, almost to the day, the same phenomenon occurred, suggesting a major cyber-attack.
It is believed that on the first attempt the group inadvertently shut down the plant, as some controllers shut themselves down when their logic code failed a validation check. The protocol attacked by the group is proprietary, suggesting prior reverse engineering. In addition, the development of the tool would require access to both hardware and software that are difficult to acquire. Such an attack requires a high level of technical knowledge and, although it is unlikely to be reproducible on a large scale, it shows that the attacker is sufficiently capable of attacking and potentially causing physical damage to plants and industrial systems. The group would be linked to the Central Scientific Research Institute of Chemistry and Mechanics in Moscow for the following reasons:
Personal links with that Institute,
An IP address used by the attacker,
Correspondence between business hours and working hours in Moscow.
This institution studies ways to protect critical infrastructure and develops weapons and military equipment. The group has been using test environments to check the internal workings of its malware since at least 2013. Other intrusions by this attacker into the Middle East were carried out at undisclosed dates, focusing on oil and gas companies until the end of 2018. It should be noted that the group has also begun probing energy systems in the United States and other countries.
Xenotime uses a dozen custom and public tools to carry out its attacks. The custom tools reimplement features of the public tools by adding anti-detection methods. These tools appear to be used during critical phases of the intrusion.
Attacks on industrial systems are long (several months or years) since they require learning how to exploit the target's industrial process and developing the appropriate tools. The attack is therefore preceded by a discovery, learning and preparation phase during which the attacker will set up his attack infrastructure. The infrastructure uses VPS servers from international hosting providers (OVH or UK-2 Limited), VPNs and Dynamic DNS allowing regular changes of IP addresses. After penetrating the target's network, the attacker needs to ensure persistent and very discreet access throughout the mission.
Xenotime therefore uses several methods to hide its activities:
Renaming files to make them appear legitimate (using Microsoft Update file naming),
Use of standard tools simulating the activity of an administrator (RDP, PsExec, WinRM),
Editing legitimate Outlook Exchange files to open web access,
Use of encrypted communication for sending commands and programs,
Use of multiple subfolders rarely used by users or programs,
Regular cleaning of attack tools, activity logs, temporary files after use,
Changes to the dates contained in the files (creation and modification dates),
Use of VPN networks, allowing to hide the IP address of the attacker.
Malware persistence on compromised machines is achieved by creating an "Image File Execution Options" registry key or scheduled tasks. After reaching the targeted SIS controllers, the attacker focuses on deploying TRITON by limiting his activities to off-peak hours to avoid being discovered. TRITON then allows full control of these systems.
This modus operandi, largely based on a concern for non-detection, allows us to draw two conclusions. Firstly, this line of development is typical of state-sponsored attackers. The latter do not wish to be linked to offensive computer systems with a geo-strategic dimension and demand that the groups finance the greatest possible discretion. In the present case, the fact that the group is linked to a national research institution and that its modus operandi is devoted to destruction reinforces this hypothesis. The second conclusion that can be drawn from this emphasis on concealment is that it confirms the non-operational nature of the attacker's arsenal at the time of the attack. The ambition is to remain as long as possible in the target's systems in order to increasingly test his tool.
The case of this group shows that the theory of security by darkness, which consists in thinking that an ICS/SCADA system is complex and therefore secure, no longer holds. The rise in the quality of attacker groups, the generalization of protocols and the standardization of systems have changed the situation.
December, 14, 2017, FireEye, Attackers Deploy New ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure
June, 07, 2018, FireEye, A Totally Tubular Treatise on TRITON and TriStation
October, 23, 2018, FireEye, TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers
February, 25, 2019, DragoS, Evolution of ICS Attacks and the Prospects for Future Disruptive Events
April, 10, 2019, FireEye, TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping
June, 14, 2019, Dragos, Threat Proliferation in ICS Cybersecurity: XENOTIME Now Targeting Electric Sector, in Addition to Oil and Gas
October, 12, 2017, The Conversation, http://theconversation.com/russie-arabie-saoudite-un-rapprochement-qui-agace-washington-85475
June, 21, 2018, Le Monde, https://www.lemonde.fr/economie/article/2018/06/21/petrole-l-arabie-saoudite-et-la-russie-font-front-commun-face-a-l-iran_5318906_3234.html
2019, DragoS, https://dragos.com/resource/xenotime/
REFERENCES