When the malware known both as Triton and Trisis came to light in late 2017, it quickly gained a reputation as perhaps the world's most dangerous piece of code: the first ever designed to disable the safety systems that protect industrial facilities from potentially lethal physical accidents. But Triton hackers still have to engage in far more common forms of hacking to plant that code, in some cases spending close to a year digging their way through IT networks before they reach their targets. They've used a distinct toolkit of custom-made malware to do so—and bringing it to light might now help stop other active intrusions before it's too late.

At the Kaspersky Security Analyst Summit in Singapore Wednesday, researchers at the security firm FireEye plan to present some of the lessons they've learned in following the footprints of the Triton hackers, known sometimes as TEMP.Veles or Xenotime. Two customers hired FireEye to investigate intrusions on their networks: the Petro Rabigh oil refinery, temporarily shut down by Triton in Saudi Arabia in 2017, and an anonymous, previously undisclosed victim whose breach FireEye investigated just this year.

In those investigations, FireEye says it has identified a collection of custom, malicious software that the Triton hackers used, tools that allowed the hackers to patiently advance their intrusion as they worked to gain access to the victims' industrial control systems.

Custom Job

In contrast to Triton—one of a few vanishingly rare pieces of malware that directly targets industrial control systems—the newly named tools are essentially custom-written versions of common programs hackers use to work through traditional IT networks. But FireEye director of intelligence analysis John Hultquist says that detailing the Triton hackers' custom toolkit might help other potential targets protect themselves. "We’ve only found them twice, and we think there’s more out there," Hultquist says.

The stakes are high. The hackers behind Triton have already dared once to inflict potentially serious damage in a facility, attacking Triconex safety-instrumented systems at the Petro Rabigh refinery, which could have led to a lethal, catastrophic accident. It fortunately triggered only a shutdown of the plant. But any ongoing Triton attack could have similarly weighty consequences. "We’re providing our methodology to the world so they can look for this actor, whom we’re taking very seriously," Hultquist says.

The list of tools FireEye has identified includes a program called SecHack, designed to pull a target user's passwords and other credentials out of a computer's memory so that they can be repeatedly reused to log in to any machine on the network the victim has access to. It essentially re-creates the functionality of an open source, ultracommon tool known as Mimikatz, which was created in 2011 and designed to similarly suck passwords out of a computer's RAM. Another custom tool FireEye found the Triton hackers using is called NetExec, which mimics the functionality of PSExec, a Windows utility that lets administrators run commands on remote computers across a network.

Hackers frequently use PSExec together with credentials stolen by Mimikatz. The Triton hackers similarly combine their custom SecHack and NetExec tools, using them to hopscotch from machine to machine within a network.

"We’ve only found them twice, and we think there’s more out there." John Hultquist, FireEye

Why write custom versions of publicly accessible commodity tools? FireEye security researcher Steven Miller says the Triton hackers may have created custom software to evade security technologies that can spot the use of Mimikatz and PSExec. That may allow them to hide longer in a victim's network. In both cases that FireEye analyzed, the hackers' intrusions persisted for months before they even attempted to drop their Triton payload. But that decision now gives anyone who spots those unique tools on their network a strong clue that they're being targeted by a very dangerous hacker group with a history of physical sabotage. "There's a trade-off in the risks they take," Miller says.