• Joe Slowik, Threat Intelligence & Hunter• Current: Dragos Adversary Hunter• Previous:

• Los Alamos National Lab: IR Lead• US Navy: Information Warfare Officer• University of Chicago: Philosophy Drop-Out

• Jimmy Wylie, Reverse Engineer• Current: Dragos Adversary Hunter• Previous:

• Focal Point Academy: MA Course Dev, Instructor, Researcher

• Fortego, LLC: Malware Analyst/Reverse Engineer, Developer

• University of New Orleans: B.S. & M.S. Computer Science

• Background• Event• Malware• Response

•

•

•

•

•

•

•

•

• Failsafe for the industrial process

• Should be independent of industrial process

• Not arbitrary: • Hazard / Operability

Studies• Process Hazard Analysis• FMEA

• Unspecified gas facility in Saudi Arabia attacked, August 2017

• Infection resulted in system shut-down during intrusion• Not assessed as shut-down due to attack

• Attack focused on Schneider Electric Triconex system, 3008 PowerPC processor version

• SIS-connected workstation compromised• Malicious compiled Python moved to

Workstation with payloads• EXE handles connectivity to and interaction

with SIS

Establish Access on SIS-

Connecting System

Transfer TRISIS

Package to System

Use TRISIS Base EXE to

Upload TristationProgram

TristationProgram

Compromises SIS

Leverage Access for ICS Disruption via

SIS

Establish Access on SIS-

Connecting System

Transfer TRISIS

Package to System

Use TRISIS Base EXE to

Upload TristationProgram

TristationProgram

Compromises SIS

Leverage Access for ICS Disruption via

SIS

Something Breaks Here!

• Deliberate targeting of SIS accepts risk:• Physical damage• Potential injury or loss of life

• New norm established in ICS targeting and operations

Engineering Workstation

LIBRARY.ZIP + TRILOG.EXE

SIS

INJECT.BIN IMAIN.BIN

• Py2Exe executable masquerading as legitimate software

• Library.zip contains external python library dependencies • Artifact of the Py2Exe process• Contains attacker written libraries along

with standard libraries

• Summary1. Connects to Triconex using IP argument2. Concatenates inject.bin to imain.bin3. Tests for code upload4. Uploads inject+imain, removes if necessary.

• IMPACT: Provides a ‘documented’ procedure for uploading control programs

• TsLow.py – Socket layer implementation of Tristation/TCM Protocol

• TsBase.py –Tristation Network Commands• TsHi.py – Uses TsBase to provide Read/Write

program functionality

• Ts_cnames.py – Enumeration of TristationCode

• crc.py – Provides a variety of CRC functions • sh.py – Data dumping and changing

endianness

• Tristation Protocol defines the packet format to send network commands

• Options include uploading code, reading controller state, etc.

• TCM is the wrapper packet for a TristationProtocol message

• Communications occur over UDP/1502

MessageType LengthOfData Data CRC16

TCM Wrapper

Dir Cid Cmd MsgCount Unk Checksum LengthOfCmdData CmdData

Tristation Message

tcm_result() parses the reply

Whoops!

• ts_exec returns either a ts_result tuple or a Boolean• ts_result == (error_code, reply, cmd)• tcm_reconnect() -> Bool

• TsBase.py repeatedly calls the following sequence:

result = ts_exec(cmd, ex_reply)

return ts_cut_reply(result)

First line of function can cause a program crash

• Summary• Implements both TCM and Tristation protocol

messages• Includes ability to scan network for Triconex SIS

• Impact• Previously undocumented protocol now easily

re-implemented• Defenders benefit from attacker’s investment

• Series of network commands with similar structure

• ”Exploit” Interaction

• Documents subset of available Tristationnetwork commands• Built-in ability to upload/download

programs and functions• ”ExecuteExploit” reveals which function the

BIN files attempt to hook

• Fairly involved control flow:1. Enumerates Functions and Programs2. Reads last program in SIS’s program table3. If program contains custom TRISIS codesign,

it will overwrite that program with argument4. Otherwise, it will allocate a new program

appending the TRISIS codesign5. Runs program and checks state

• Summary• Provides semi-automated function/program

upload/download and enumeration• Can query SIS state

• Impact• Template of ordering and use of TS protocol

for SIS modification – Exploit not required!• Exploit Funcs could be used for detection

• Schneider Electric provided a deep-dive at S4x18 • Summary

• inject.bin leverages 0-day to hook a TristationCommand, likely GetMPStatus, with imain.bin

• imain.bin adds extra functionality to command allowing R/W/E

• Removal from program table does not remove rootkit - reboot required

• Current reporting suggests IMAIN is a RAT• Given that it hooks an OS command, it

functions more like a memory resident rootkit• RAT connotes more reachability than is

present• No custom C2, only TS protocol• It’s as accessible as the SIS

• Trilog.exe doesn’t support remote C2 either

• Does the rootkit bypass the keyswitchsetting once installed?

• What is the nature of the exploit? • No CVE published

• What crashed the SIS?• We are currently exploring these issues

• TRISIS capability implies expert knowledge of the Triconex SIS

• Implications event was a test: ‘script_test.py’• But why test in target environment – if

hardware access required to develop TRISIS?• Why not confirm rootkit presence in TRILOG

checks?

• Unique attack:• Tied to specific Triconex System and

configuration• 3008 PowerPC-based system

• Malware is not SIS scalable• Attack capabilities do not resemble standard

Windows malware

• Standard antivirus inadequate• Heuristics are focused on Windows malware• Behavioral heuristics only applicable at EWS• Signatures are backward-looking

• Typical antivirus is not designed for threats such as TRISIS

• Anomaly detection lacks appropriate context• Scope of SIS events may be small• But baseline will be narrow• Any ‘not normal’ activity will trigger

• Anomalous SIS activity is alarming• But single anomaly data point insufficient• Lack of context and evidence impedes

investigation

• Keep keyswitch in ‘Run’ mode• Deploy SIS on isolated networks• Terminals should never be connected to any

network other than dedicated safety network• Removable media and laptops should be

scanned prior to introducing to safety network

• Unfortunately…• Uncertain if keyswitch can mitigate existing

infection• Network isolation may not be possible• Proper function likely requires some

connectivity• Scanning introduced media will use standard AV

– not effective against new, ICS-specific threats

• Adequate defense against TRISIS-like attacks requires a threat-focused approach

• Identify:• Pre-requisites for SIS access and attack• Necessary steps to impact SIS• Critical path nodes between IT, ICS, and

SIS

• TRISIS as observed will never happen again• Specific to the target environment• Will not scale or port to future attacks

• TRISIS as a potential method can be re-used• Focus on general behaviors in attack• Defend against variances and permutations

Initial Intrusion & C2

• Identify suspect items at IT-ICS link

• Minimize IT-ICS communications to known, monitored paths

ICS Intrusion & Lateral Movement

• Identify and monitor critical path links to SIS, other sensitive areas

• Know existing network communication pathways and identify new, suspicious items

SIS Activity

• Limit communication to SIS to subset of hardened, generally isolated devices

• Record and monitor firmware and configuration changes

rule compiledPython{

meta:

description = "Identify compiled Python objects - Should be rare to

non-existent in ICS environments”

author = "Dragos Inc."

strings:

$s1 = "PyImport_" nocase wide ascii

$s2 = "PyErr_" nocase wide ascii

$s3 = ".pyd" nocase wide ascii

$s4 = "py2exe" nocase wide ascii

$a1 = "cyberoam" nocase wide ascii fullword

$a2 = "plctalk" nocase wide ascii fullword

$a3 = "greenbow" nocase wide ascii fullword

$a4 = "mbnet" nocase wide ascii fullword

$a5 = "mbconnect" nocase wide ascii fullword

….

$a** = "trilog" nocase ascii wide fullword

condition:

uint16(0) == 0x5a4d and 2 of ($s*) and 1 of ($a*)}

• Any of the previous items in isolation is an anomaly

• But when correlated with other events and knowledge in the environment, yields a behavior

• Focus on identifying threat behaviors at earliest possible moment

• Identifying possible firmware binary = data point

• Proper response requires enrichment:• Source and path for binary in network• Communications path to SIS, SIS

controller• Nature and means of SIS interaction

Identify Required Adversary Behaviors

Determine Necessary Visibility to Detect Adversary

Actions

Align Defense and Monitoring to Requirements

Train and Educate Security Personnel

on Threat Environment

Emphasize Root Cause Analysis

when System Fail

Initial Intrusion

Gain Persistence

Survey Network

Identify Objective

Deliver Effect

Complete Effect