Episode
68: Triton
1:15:29
Published: Tue Jun 23 2020
Description
A mysterious mechanical failure one fateful night in a Saudi Arabian chemical plant leads a cast of operational technology researchers down a strange path towards an uncommon, but grave, threat. In this episode, we hear how these researchers discovered this threat and tried to identify who was responsible for the malware behind it. We also consider how this kind of attack may pose a threat to human life wherever there are manufacturing or public infrastructure facilities around the world. A big thanks to Julian Gutmanis, Naser Aldossary, Marina Krotofil, and Robert M. Lee for sharing their stories with us. Sponsors This episode was sponsored by IT Pro TV. Get 65 hours of free training by visiting ITPro.tv/darknet. And use promo code DARKNET25. This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2020 to get a $20 credit on your next project. Sources https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html https://dragos.com/wp-content/uploads/TRISIS-01.pdf Video S4 TRITON - Schneider Electric Analysis and Disclosure Video S4 TRITON - Mandiant Analysis at S4x18 Video S4 TRITON - Reverse Engineering the Tricon Controller by Dragos Video S4 TRITON - A Report From The Trenches Video - Safety Orientation video for the Chemical Plant Learn more about your ad choices. Visit podcastchoices.com/adchoices
Chapters
The podcast discusses how data breaches have impacted every listener and how in the future we might be impacted by more destructive data breaches that can lead to major disasters.
00:00 - 01:13 (01:13)
Summary
The podcast discusses how data breaches have impacted every listener and how in the future we might be impacted by more destructive data breaches that can lead to major disasters.
Episode68: Triton
PodcastDarknet Diaries
Brave Browser allows users to use advanced features like web USB without sacrificing their privacy.
01:13 - 05:01 (03:47)
Summary
Brave Browser allows users to use advanced features like web USB without sacrificing their privacy.
Episode68: Triton
PodcastDarknet Diaries
In the event of an emergency, it's crucial to have a go-bag ready.
05:01 - 14:13 (09:12)
Summary
In the event of an emergency, it's crucial to have a go-bag ready. This includes essential items such as food, water, and first aid supplies, as well as any necessary tools to aid in conducting incident response and forensics.
Episode68: Triton
PodcastDarknet Diaries
The comparison of the program and logic files used in plant systems to the safety controller is crucial in detecting malware and advanced adversaries within the environment, providing a safer workplace for employees and equipment.
14:13 - 22:30 (08:17)
Summary
The comparison of the program and logic files used in plant systems to the safety controller is crucial in detecting malware and advanced adversaries within the environment, providing a safer workplace for employees and equipment. In the case of an incident response, dealing with hazardous situations becomes critical as attackers may trigger time bombs or backdoors, which could be detrimental to people's safety.
Episode68: Triton
PodcastDarknet Diaries
A cyber attack on a chemical plant was traced back to an engineering workstation, after the hackers slipped through a hole in the DMZ and accessed safety controllers with a multicast ping.
22:30 - 29:24 (06:53)
Summary
A cyber attack on a chemical plant was traced back to an engineering workstation, after the hackers slipped through a hole in the DMZ and accessed safety controllers with a multicast ping.
Episode68: Triton
PodcastDarknet Diaries
Attackers could reprogram safety systems in industrial control systems, which could cause destruction to the plant or even lead to a disaster by preventing the safety system from executing its function.
29:24 - 39:24 (09:59)
Summary
Attackers could reprogram safety systems in industrial control systems, which could cause destruction to the plant or even lead to a disaster by preventing the safety system from executing its function.
Episode68: Triton
PodcastDarknet Diaries
The speaker shares about the first ever SIS targeted malware and the concerns it raises about systems that protect human life.
39:24 - 44:38 (05:13)
Summary
The speaker shares about the first ever SIS targeted malware and the concerns it raises about systems that protect human life. Discovery of this malware inadvertently led the discovery of this person group launching these threats, turning it into an exciting investigation.
Episode68: Triton
PodcastDarknet Diaries
The possibility of a collaboration between the Triton attackers and a research institute was discussed, as it would explain the multidisciplinary nature of the attack.
44:38 - 52:42 (08:04)
Summary
The possibility of a collaboration between the Triton attackers and a research institute was discussed, as it would explain the multidisciplinary nature of the attack. While the attackers did not have a proper infrastructure attack in place, an IP address was tracked by the FIRE research team related to the intrusions of the Triton team.
Episode68: Triton
PodcastDarknet Diaries
The impact of cybercrime and the objectives of attackers serve as criteria to judge whether or not a crime is cybercriminally related, and high confidence assessments of attribution aren't simply a matter of intelligence knowledge or forensics but also consider the tension between state players in national critical infrastructure and cyber attacks.
52:42 - 57:38 (04:55)
Summary
The impact of cybercrime and the objectives of attackers serve as criteria to judge whether or not a crime is cybercriminally related, and high confidence assessments of attribution aren't simply a matter of intelligence knowledge or forensics but also consider the tension between state players in national critical infrastructure and cyber attacks.
Episode68: Triton
PodcastDarknet Diaries
Clustering on intrusions to form a group, or performing kill chain analysis, are effective ways to track an adversary and their methods, tools, and infrastructure used to make defensive recommendations.
57:38 - 1:04:17 (06:39)
Summary
Clustering on intrusions to form a group, or performing kill chain analysis, are effective ways to track an adversary and their methods, tools, and infrastructure used to make defensive recommendations. A state adversary that particularly doesn't like Saudi Arabia or their wealth in oil and gas could find attacking their oil plants an effective way to impact production and morale, especially since Saudi Aramco was getting ready to do their IPO at the time.
Episode68: Triton
PodcastDarknet Diaries
Leaders should take serious measures to prevent state-sponsored cyberattacks like NotPetya and Ukraine, and penalize the countries that carry out such attacks.
1:04:17 - 1:13:24 (09:07)
Summary
Leaders should take serious measures to prevent state-sponsored cyberattacks like NotPetya and Ukraine, and penalize the countries that carry out such attacks. Proper detective, prevention and responsive capabilities are highly necessary to combat this type of attack to ensure the security of organizations.
Episode68: Triton
PodcastDarknet Diaries
The US has imposed sanctions on a Chinese research institution over alleged ties to the People's Liberation Army (PLA), which is barred by Washington from doing business with US firms.
1:13:24 - 1:15:25 (02:01)
Summary
The US has imposed sanctions on a Chinese research institution over alleged ties to the People's Liberation Army (PLA), which is barred by Washington from doing business with US firms.