TRITON Evaluation: Operational Flow
The Operational Flow separated technique execution into sequences we referred to as “Steps”, which are grouped in higher-level abstractions called “Phases”. Organizing our execution into Phases and Steps ensured that the detection displayed was correctly associated with the technique that was being tested. Each Step corresponded to an adversary’s intended goal during an operation.
Phase 1: Initial
Compromise
Steps Included: 1, 2, 3
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
The scenario begins with the adversaries having a foothold on an application server within a shared DMZ between the target petrochemical company’s corporate network and the ICS network. This foothold was established during a prior phase of the campaign and handed off to the ICS focused adversaries. These adversaries then utilized captured valid credentials to login remotely onto a windows-based engineering workstation within the process environment using Remote Desktop (RDP) over port 3389 (T0885). This initial RDP session passes through the ICS firewall as standard operator behavior. The attacker leverages their RDP access to perform a program upload using the Rockwell engineering tools and saves this file to the temp directory under the Engineer user. RDP shared folders are used to move persistence tools onto the control engineering workstation (EWS). |
Triton adversaries leveraged valid accounts that were harvested throughout the operation. [1] Triton adversaries routinely used standard tools that would mimic legitimate administrator activities. This included heavy use of RDP. [2] [3] Triton adversaries gained remote access to an SIS engineering workstation. [1] |
Phase 2: Employ
Persistence
Steps Included: 4, 5, 6
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
To gain persistence on the control EWS, the adversary installed scheduled tasks by importing an XML task named SMB_Sync.xml into Task Scheduler. This task initiates a plink.exe reverse shell and local port redirection for RDP access. The outgoing SSH request was made over port 445 (T0885) to the application server in the DMZ. This port was selected to bypass firewall restrictions and guise as SMB traffic. Once the SSH tunnel is in place the adversaries reinitiate RDP over the encrypted tunnel to transfer and install the OpenSSH-based backdoor using a PowerShell install script named install-csp.ps1 (T0853). The OpenSSH backdoor was masqueraded as a proprietary Rockwell protocol, Client Server Protocol (CSP) [4]. Once installed the SSHD component is masqueraded as CSP.exe with a local listening port of 2223 and service name rockwell-csp3 (T0849). Finally, an additional XML scheduled task SMB_Update.xml is imported to establish an additional tunnel for SSH traffic over port 445 (T0885). |
Triton adversaries utilized customized OpenSSH PEs with content "Microsoft openSSH client." [2] Triton adversaries leveraged Scheduled Tasks XML triggers referencing unsigned .exe files. [2] Triton adversaries used tunneled RDP sessions over PLINK for remote access. [2] [4] |
Phase 3: Deploy
Toolkit
Steps Included: 7, 8
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
Now that persistence has been established on the control EWS, the attacker leverages SFTP over the 445 tunnel to move a zip file of custom discovery tools. RSLINX_install.zip was moved from the application server in the DMZ to a local Rockwell temp directory. This serves as the staging and execution location for all custom EtherNet/IP tools. Two custom python executable tools, RSLINX.exe and LogixMap.exe, are extracted into the Rockwell directory. |
Triton files were staged and executed from temp directories. [2] Triton adversaries leveraged an unmodified but custom-compiled version of sftp-server.exe from OpenSSH. [4] |
Phase 4: Collection /
Discovery
Steps Included: 9
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
The attacker uses this stage to collect artifacts and discover information that will be used in later phases. The attacker accomplishes this with custom network and EtherNet/IP tools to discovery additional assets and information about the environment. The attacker uses LogixMap.exe, a custom executable, to conduct a stealth scan across the network on TCP port 44818 to identify any EtherNet/IP capable assets (T0846). This operates for multiple hours to limit detection. Following this, the attacker utilizes another custom python tool RSLINX.exe to gather information from Rockwell assets over EtherNet/IP. This script conducts a broadcast discovery (T0888) (similar to “WhoActive” by Allen Bradley), gathers the device type (T0888), PLC operating mode (T0868), and a dump of all tag names (T0871). |
Triton is capable of autodetecting Triconex controllers by sending a specific UDP broadcast packet over port 1502. [5] [6] Triton contains the definitions to identify the key state (operating mode) and program state of a Triconex controller. [7] Triton was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs. [1] |
Phase 5: Expand
Access
Steps Included: 10, 11, 12, 13, 14, 15
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
The attacker discovered an asset with the hostname USPCU-EWS-S-P001 and expanded their access into the safety EWS through valid accounts over RDP for remote access (T0885). This access was enabled as a misconfiguration within the environment, establishing the control EWS a pivot point through the ICS network. Once on the safety EWS, the OpenSSH-based CSP tools were moved from the control EWS over a shared drive and installed for persistence. Since access between the DMZ application server and safety system was not accessible, plink tunnels were not needed. Access to the system was established directly over port 2223 between the control and safety EWS. The attacker leverages scp over port 2223 to move the custom discovery tools, LogixMap.exe and RSLINX.exe, as a zip file (RSLINX_Install.zip) from the control EWS onto the safety EWS. Before closing out of the established RDP session, the attacker leverages the Rockwell engineering tools to initiate a Program Upload (T0871) and saves this file into their temp Rockwell directory. |
Triton utilized an OpenSSH-based backdoor for lateral movement. [2] Triton adversaries routinely used standard tools that would mimic legitimate administrator activities. This included heavy use of RDP. [2] [3] Triton adversaries gained remote access to an SIS engineering workstation. [1] |
Phase 6: Collection /
Discovery
Steps Included: 16
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
After gaining access to the safety EWS. The adversary executes their custom tool RSLINX.exe (T0853) to conduct the broadcast discovery (T0888) (similar to “WhoActive” by Allen Bradley), gather the device type (T0888), PLC operating mode (T0868), and dump all tag names (T0871). |
Triton is capable of autodetecting Triconex controllers by sending a specific UDP broadcast packet over port 1502. [5] [6] Triton contains the definitions to identify the key state (operating mode) and program state of a Triconex controller. [7] Triton was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs. [1] |
Phase 7: Deploy OT
Toolkit
Steps Included: 17, 18, 19
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
The attacker leverages the OpenSSH backdoor to move tools from the DMZ application server onto the control EWS through the persistent plink tunnel. This transfer is achieved through SFTP as a zip file named Install_RSLogix5000.zip. When extracted, the tools RSLogix5000.exe, RSComms.exe are created. Another zip toolkit, Install_Guardlogix.zip is extracted and moved to the safety system over scp. |
Triton adversaries leveraged an unmodified but custom-compiled version of sftp-server.exe from OpenSSH. [4] Triton was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs. [1] |
Phase 8: Failed Attempt to
Disable Safety Function
Steps Included: 20, 21
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
The attacker modifies the safety controller program (T0889) over EtherNet/IP using the custom python script RSLogix5000.exe from the safety EWS allowing for future control of the safety system without having to change the key switch. This was accomplished through an online edit or program append action (T0843). [8] The attacker then monitors the command-and-control tag and actuates the malicious control logic to disable safety functions. However, because of an error in the malicious payload it fails to prevent a trip as the attacker begins to manipulate the control process. This trip halts the operation of the burner management system. | Triton caused the safety system to enter a failed safe state and tripped the industrial process. Requiring asset owner intervention and investigation. [1] [5] |
Phase 9: Clean Up
Steps Included: 22
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
Following the trip, the attacker changes the operating mode (T0858) of the safety PLC to Program Mode to allow for a full program download. The attacker then initiates a full program download (T0843) using the original program collected from the program upload. This action was primarily to wipe any artifacts of the malicious logic off of the controller. Process operators respond to investigate and restart the plant following the shutdown. | Triton would reset the controller to the previous state over Tristation and if this failed it would write a dummy program to memory in what was likely an attempt at anti-forensics. [5] |
Phase 10: Infect Safety
System Control Logic
Steps Included: 23, 24
Substeps 24.A.1 to 24.B.4
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
The attacker modified the controller program to replace a specific task component of the controller program on the safety PLC (T0889). This task was part of the safety system trip logic which would shut down the control process and halt the system if a series of process indicators were present. Specifically for this attack, the “flame out”, “trip from HMI”, and “trip from field” indicators were crucial. With the new modified task, the attackers were able to communicate directly with the safety PLC and could disable these trip functions on command. Once disabled, automatic trips from the process and manual trips from an HMI or the field were ignored. | Triton does not leverage any 0-days but instead reprograms the target safety controllers via the TriStation protocol. [5] |
Phase 11: Disable Safety
Function
Steps Included: 24
Substeps 24.C.1 to 24.C.3
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
In the days after the safety trip, the attacker re-implements the safety payload and conducts another online edit (T0843) action to re-infect the safety controller program (T0889). Once the implant is installed, the attacker monitors their command-and-control tags before actuating the malicious logic (T0871). All communication with the malicious logic occurs as standard protocol commands and successfully disables the trip functionality. | Triton can communicate with the implant over the TriStation 'get main processor diagnostic data' command. [5] |
Phase 12: Manipulate DCS
to Achieve Failure
Steps Included: 25
High Level Overview of Emulation and Techniques Evaluated | Cited Intelligence |
---|---|
After the safety implant was successfully installed, the attacker moves back to the control EWS to manipulate the burner. The attacker uses their custom tool RSComms.exe (T0853) to exploit the operational communication to allow for privileged communication with the control PLC and control of the process. The attacker initiates a privileged write to switch the air damper control from an auto cascade mode into manual HMI control mode (T0871). This allowed the adversary to write a new manual setpoint for the dampers, cutting off all air supply. Without any air supply, the burner flame is extinguished. Since the safety system is disabled, the standard trip for loss of flame does not actuate and the gas lines continued to pump into the facility. During this time, an operator took action to prevent the gas accumulation and attempted to manually halt the process through the HMI and the field trip buttons. However, these trips were ignored, resulting in a total loss of safety (T0880). Once gas had built up in the facility, the attacker opened the dampers (T0871) enough to achieve an ignitable fuel mixture at the ignitor. The attacker then used privileged forces to enable the force mask in logic for the flame sensor and ignitor (T0855). Finally, with the force mask in place, an ‘enable all forces’ command was issued (T0855). This enabled the force mask override, engaging the ignitor, and causing an explosion of the built-up gasses resulting in physical destruction of the facility. | Following Triton, analysis identified potential scenarios that could have been the goal for Triton. For the TRITON evaluation we chose the scenario with the most adversary interaction and manipulation (reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard [1]) for thorough testing of detections. These events were not reported to have occurred in real life and no DCS payload has been publicly released. |