Trisis ICS malware was publicly available after attack

The malware used in an industrial control system attack in December has been found circulating publicly on the internet after being copied from an online database.


industrial control system (ICS) malware was first disclosed by FireEye’s Mandiant threat research team on Dec. 14,

after an attack on an unknown organization. The malware specifically targeted the Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric and has been called either Triton or

because of this. One week after the initial reveal by Mandiant, Schneider Electric reportedly posted a file containing sensitive pieces of the

malware framework to VirusTotal — an antivirus scan database owned by Google — on Dec. 22nd.

Cyberscoop, which first reported the story, said Schneider Electric quickly received a notice to remove the file from VirusTotal, but before the file could be removed it had already been copied and reposted to other code repositories like GitHub and has been freely available ever since.

Although the

framework accidentally posted by Schneider Electric by itself would not be enough to recreate the ICS malware, the main

executable — Trilog.exe — had also been published.

Paul Brager Jr., technical product security leader at Baker Hughes, based in Houston, Texas, and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said “it is highly conceivable that variants of

could surface that are tailored toward control systems by Siemens, Rockwell Automation, Honeywell or other digital industrial manufacturers.” 

“Because most control environments are not homogenous, patching one series of vulnerabilities for a particular manufacturer does not necessarily lessen the exposure to the infrastructure from something like

, or a variant therein,” Brager told SearchSecurity. “What we are seeing is an effort to engage control systems not only at the constituent

but the underlying systems that seek to manage those control environments.  Just as

was written to target a specific Schneider SIS, there is nothing preventing

nation state
actors with the means and resources to refashion

to target any SIS or other ICS subsystem with vulnerabilities that can be exploited.”

Eddie Habibi, founder and CEO of PAS Global, an ICS cybersecurity company headquartered in Houston, Texas, said the problem is that “there are two speeds in ICS cybersecurity — industry speed and hacker speed.” 

“Hackers can move much more quickly than industry. 

may not patch a system for months or ever, depending on assessed risk,” Habibi told SearchSecurity. “Although this may sound ominous,

does have safeguards in place that protect reliability and safety. The problem is that hackers are learning more about these systems and how to manipulate them as we saw in the


Bryan Singer, director of industrial cybersecurity services at IOActive, the cybersecurity company headquartered in Seattle, Wash., said the threat of

being repurposed may not have sunk in with organizations.

“Wake up calls haven’t woke anybody up. In watershed moments such as Equifax, Target

Triconex, everyone freaks out but doesn’t do anything,” Singer told SearchSecurity. “We’ll see a lot of the same here — people like to dismiss the threat and think it won’t happen because they’re not being targeted. IT proves this completely untrue. There are far too many attack mechanisms to say it won’t happen to us.”

ICS patching issues

Experts noted that if organizations don’t fully recognize the threat, it may be even more difficult to harden security because of the inherent differences in patching ICS.

Brager noted that patching in ICS environments can be especially tricky since “many of the components, applications, and services are proprietary and highly interdependent.”

“Because of the critical process potential of ICS systems and their components, significant testing is usually required to ensure that an applied patch yields an expected outcome and does not interfere with, or degrade in any fashion, the operations of the control system,” Brager said. “This requirement and diligence typically

out the patching cycle within [operational technology (OT)] environments, often months, and ultimately depends on the ability to patch and the resource availability to do so.”

Emily Miller, ‎director of national security and critical infrastructure programs at Mocana, and formerly the chief of process management for the DHS ICS Cyber Emergency Response Team, said the flaws that allowed the

attack were not an inherent vulnerability in the device, but “due to poor cyber hygiene.”

“In operational

patching is tricky business — remember, in OT we’re talking about devices that control physical processes that can impact lives, not just bits

bytes of data,” Miller told SearchSecurity. “Quickly patching devices, as you would expect to see in an IT environment, can have real, catastrophic consequences in an operational environment.”

ICS defense

Brager said that traditionally ICS systems are kept isolated from external networks but growing interconnectivity is making security more difficult.

“For many years, ICS environments were largely thought to be physically and logically isolated from other networks and/or environments. Connectivity was largely a function of interconnected buses and

short run
links that allowed communication through a closed loop architecture,” Brager said. “Network enablement of components within ICS expanded the threat landscape exponentially, as systems that were not originally designed to be internet/network facing, suddenly were — and the facilities needed to patch these devices were largely immature and arduous.

Habibi agreed that isolating ICS is no longer a sufficient security strategy.

“After years of reconnaissance, the bad guys have shown they can penetrate those defensive layers, bridge the illusory air gap, and take deliberate control over

CRASHOVERRIDE did not need a vulnerability to bring down power in

the Ukraine
— only ICS and process knowledge that had been built over time,” Habibi said. “A successful

-like attack, under certain circumstances, can lead to a catastrophic accident. Consider a scenario where a skilled malicious attacker breaches a Triconex system, which is designed to safely shut down a reactor in a fluid catalytic cracking unit in a refinery, by bypassing the trip function. This simple change could act as a time bomb and remove the failsafe that ultimately protects the plant from a catastrophic event.”

Miller said the

attack is “more evidence that we need to start approaching this problem differently.” 

“Rather than continuing to chase vulnerabilities and trying to implement an IT approach to OT security, we should instead think about how we can make critical devices inherently secure and more difficult for hackers to gain access,” Miller said. “Without access to an ICS device, hackers cannot begin to take advantage of a vulnerability. Certainly, defense in depth methodologies and good cyber hygiene are a part of the solution, but what happens when those techniques fail, and the actors can remotely access a device and potentially manipulate it?”

Author: administrator