New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol

New TRITON Analysis Tool: Wireshark Dissector for TriStation Protocol

TRITON, also known as Trisis and HatMan, is one of only a few known malware frameworks that have resulted in a direct physical impact on critical infrastructure. In 2017 TRITON was used to attack a Saudi Arabian gas facility, directly interacting with, and remotely controlling, its Safety Instrumented System (SIS). Given the significance of this attack, Nozomi Networks conducted research on the malware to better understand how its multistage injection techniques work.

We obtained a Triconex SIS controller and successfully communicated with it, including injecting the TRITON malware. Using the network traffic generated, we were able to analyze the proprietary TriStation protocol used to communicate with Triconex Safety Systems.

Today we released a Wireshark dissector for the TriStation protocol — called the TriStation Protocol Plug-in for Wireshark. The dissector is available as a free download from GitHub, along with a packet capture (PCAP) of network traffic that includes TriStation communications. These tools are intended to give researchers and ICS organizations access to a clear visual dissection of SIS controller communications, helping them identify compromises and cyber security risks.

Our complete analysis of TRITON, along with a live demo of an attack and a second TRITON tool will be shown at an upcoming Black Hat USA presentation that we are giving jointly with FireEye on August 8, 2018

The Milestone TRITON ICS Attack Reprograms a SIS Controller

In December 2017 FireEye (full disclosure, FireEye is a partner of Nozomi Networks) reported that it had recently worked with an industrial operator whose facility was attacked by a new type of ICS malware they named TRITON. The attack reprogrammed the facility’s SIS, causing it to enter a failed state and resulting in an automatic shutdown of the industrial process.

The shutdown led to the discovery of the malware and is thought to have been the result of a programming problem with the malware’s code. Likely TRITON was intended to prevent the SIS from safely shutting down the plant when used with a simultaneous attack on the process itself.

SIS systems are designed to prevent critical process systems from causing safety, health or environmental incidents. They are the last line of automated defense for a plant (mechanical defenses also exist) and are a special kind of PLC with multiple redundant systems.

While no harm occurred in this case, the attack represents a step-up in sophisticated ICS cyberattacks, being the first one to successfully interact with a SIS.

Why Wireshark Dissecting is Important for Understanding ICS Protocols

During Nozomi Networks research on TRITON, we expanded our knowledge about the proprietary TriStation protocol used by the Triconex Safety Systems components. Some insight was extracted from the malware itself. Other knowledge came from the live traffic generated in our lab using a Triconex controller model MP 3008 with an NCM 4329/N/G communications module.

A PCAP of this traffic was shared with FireEye, who worked with BSI (the German Federal Office for Information Security), to develop packet rules for detecting TRITON.

We conducted our own analysis of the PCAP and realized that a tool capable of explaining the communications would be extremely helpful. Usually engineers analyze network traffic by intercepting it with a program called Wireshark. Wireshark is a very flexible tool that visually explains the meaning of each byte contained in captured traffic. It works well for known, well documented protocols but is ineffective when dealing with a proprietary protocol. To overcome this issue, Wireshark allows users to create their own dissector (protocol parser) to describe how to interpret unknown protocols. Some of the languages use to create dissectors are C++ and Lua.

Because TriStation is a proprietary protocol not understood by Wireshark, initially the contents of the packets looked like raw data. We developed a Lua dissector that instructs Wireshark on how to parse the data contained inside each packet. With the dissector as a guide, Wireshark describes the meaning of each byte inside TriStation packets, making it easier for analysts to understand TriStation data traveling over a control network.

Our Wireshark dissector offers these useful features:

  • Indication of the direction of communication
  • Function codes translated as descriptive text
  • Extraction of transmitted PLC programs
  • Identification of connected hardware
  • Detection of the TRITON malware in network communications

We would like to emphasize that the functionality of the dissector is the result of our malware analysis and reflects the attackers’ reverse engineering of the TriStation protocol.

Nozomi Networks TriStation Wireshark Dissector Includes TRITON Detection

Additionally, based on new findings gained during our TRITON research, our TriStation Protocol Plug-in for Wireshark detects the uploading of a malicious program related to TRITON. While we are aware that Wireshark is not the most convenient tool for performing intrusion detection, our dissector demonstrates that it’s possible to identify ICS malware on the network using passive techniques.

The screen shot above shows the Nozomi Networks Wireshark dissector for TriStation, called the TriStation Protocol Plug-in for Wireshark, identifying the presence of the TRITON malware.

Nozomi Networks / FireEye TRITON Briefing at Black Hat USA

Our analysis of the TRITON malware led to many new insights that we will be sharing at Black Hat USA 2018. Don’t miss our presentation, in partnership with FireEye, on August 8th:

TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems Forever
Time: 11:15 am – 12:05 pm
Location: Tradewinds EF

The briefing will cover:

  • How the threat actors could have obtained the targeted equipment, firmware and documentation, based on our own experience.
  • The level of resources (time, money, expertise) required to develop the sophisticated malware.
  • The advanced methods used by the malware for a multi-stage injection of the backdoor into the controller of the Schneider Electric Triconex safety shutdown system, derived from both static and dynamic analysis of the code.
  • A demo of how the TRITON malware executes on a Triconex controller on a live industrial network.
  • Why we think the attacker failed to inject payloads.

Secure SIS with Help from our Wireshark Dissector for the TriStation Protocol

If you are an industrial cyber security researcher or an ICS operator, we urge you to download the free Nozomi Networks TriStation Protocol Plug-in for Wireshark and our TriStation PCAP. They will help you understand SIS communications, identify compromises, evaluate risks and secure your safety instrumented system.

Related Download