You are here

Understanding TRITON/TRISIS – Not as Sophisticated as Originally Thought

Understanding TRITON/TRISIS – Not as Sophisticated as Originally Thought

Created: Tuesday, August 14, 2018 - 12:12
Categories:
Cybersecurity

At Black Hat USA last week, industrial cybersecurity firm, Nozomi Networks revealed findings and a live demonstration of the malware attack known as TRITON/TRISIS/HatMan. For those new to this community, Nozomi includes a brief summary of the malware in their whitepaper. This fascinating read includes how the attack was executed, and why developing the TRITON malware may have been easier than previously believed, including the procurement of necessary components through online marketplaces such as eBay and Alibaba. Furthermore, Nozomi demonstrated that resources needed are within reach for a motivated threat actor even without nation state support, and are accessible by miscreants with relatively low programming skills and limited financial resources. Nozomi previously released a Wireshark plug-in developed to detect TriStation protocol traffic on the network, the TriStation Protocol Plug-in for Wireshark (previously covered here by WaterISAC), and adds to their arsenal the Triconex Honeypot Tool to simulate SIS controllers to attract scanning and malicious payload deployment by attackers. Nozomi believes attackers may have been kept at bay thus far due to fear of collateral damage and risk of retaliation, but encourages and enables asset owners to monitor and secure their industrial networks and SIS deployments now. Nozomi Networks