The 2017 Triton attack against a Saudi petrochemical plant remains one of the few ICS malware incidents that may have had harmful consequences to cyber-physical systems and caused injuries or loss of life.
An entity known as XENOTIME that has been linked to Russian intelligence by cybersecurity companies, the U.S. Treasury Department, and the U.S. Department of Justice is likely responsible for building the tools that enabled the attack, and for the deployment of Triton inside the plant.
The attack, however, failed because instead of silently modifying the Schneider Electric Triconex safety instrumented system (SIS) as intended and causing an explosion, it triggered a fault in the SIS that initiated an emergency shutdown of plant operations. All forensic artifacts were lost in the shutdown and Triton’s authors remain a mystery to this day.
Joe Slowik, threat intelligence and detections lead at Gigamon, joins the Nexus podcast to discuss a Virus Bulletin paper and presentation he gave recently on XENOTIME. Based on reporting from Mandiant, Treasury sanctions, and a 2021 DoJ indictment revealed this year, XENOTIME is likely an entity sitting within Russian intelligence operations that developed tooling used to deploy Triton.
It’s unknown who wrote the malware, or who sanctioned it, but Slowik’s research demonstrates that such events are usually the work of numerous entities, each responsible for one aspect of an overall mission.
“There’s a lot going on here in terms of the division of labor, the number of entities, and other aspects in terms of enabling an event like the Triton incident,” Slowik said. “
Slowik also describes the stages of the Triton attack, where it went wrong, and speculation as to why it failed. He also explains Triton’s connections to the State Research Center of the Russian Federation Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM), a research laboratory dating back to the late 1800s and its support of Russia’s military and intelligence. Finally, he covers general challenges researchers face with attribution, and what the key takeaways for defenders should be.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.