The hackers behind the notorious malware known as Trisis, code that targets crucial safety systems at dangerous industrial facilities, are back.
Researchers from the cybersecurity firm FireEye tracking the hackers behind Trisis (also known as Triton), which targeted a Saudi petrochemical plant in 2017, found the same group has infected a second unspecified “critical infrastructure” facility. The group was previously linked to the Russian government.
Ever since its emergence in 2017, Trisis was described as “the next generation in cyberweaponry” that would by its very existence intensify the global hacking arms race.
There aren’t a lot of details available about the second attack other than that the group was discovered deploying custom-built malware targeting traditional IT networks to steal credentials and run commands on remote machines. That’s unlike the original Trisis attack, which directly targeted industrial control systems. The new discovery points to the continued activity of one of the world’s most infamous hacking groups.
The attackers behind Trisis have more work on their resume as well including successfully targeting U.S. industrial firms.
The newly reported attack was caught in the early stages of an attempt to build up the capability to cause physical damage at the targeted facility. Defenders found new custom tool sets designed to gain access to their target’s systems.
Researchers also dove into the August 2017 attack against the Saudi facility in depth, revealing that the hackers spent over a year methodically working to gain access without alerting defenders. That timeline and deliberate approach, researchers said, suggests a focus on quiet work that probably means they are present in other targeted facilities and have yet to be detected.
The 2017 Trisis attack may have destroyed the Saudi petrochemical facility if the software hadn’t contained a bug. Instead of causing major damage, the attack only triggered a shutdown and put the cybersecurity world on alert.
Trisis belongs to an exceedingly rare and powerful breed of malware that targets industrial control systems (ICS). Other examples include Stuxnet, which targeted Iranian nuclear facilities in 2010, and CrashOverride, which caused blackouts in Ukraine in 2016.
“These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack,” the FireEye report says. “During this time, the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware. This attack was no exception.”
FireEye’s report contained a list of files, hashes, tactics, techniques, and procedures (TTPs) to help defenders against the still-active hacking group.
“Not only can these TTPs be used to find evidence of intrusions, but identification of activity that has strong overlaps with the actor’s favored techniques can lead to stronger assessments of actor association, further bolstering incident response efforts,” the report says.