Triton Safety Instrumented System Attack, Campaign C0030 (original) (raw)
Enterprise
In the Triton Safety Instrumented System Attack, TEMP.Veles engaged in network reconnaissance against targets of interest.[4]
Enterprise
Command and Scripting Interpreter: PowerShell
In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.[4]
Enterprise
In the Triton Safety Instrumented System Attack, TEMP.Veles developed, prior to the attack, malware capabilities that would require access to specific and specialized hardware and software.[5]
Enterprise
In the Triton Safety Instrumented System Attack, TEMP.Veles used cryptcat binaries to encrypt their traffic.[4]
Enterprise
Input Capture: Web Portal Capture
In the Triton Safety Instrumented System Attack, TEMP.Veles captured credentials as they were being changed by redirecting text-based login codes to websites they controlled.[1]
Enterprise
Masquerading: Match Legitimate Resource Name or Location
In the Triton Safety Instrumented System Attack, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.
Enterprise
Obfuscated Files or Information: Indicator Removal from Tools
In the Triton Safety Instrumented System Attack, TEMP.Veles modified files based on the open-source project cryptcat in an apparent attempt to decrease anti-virus detection rates.[4]
Enterprise
In the Triton Safety Instrumented System Attack, TEMP.Veles used tools such as Mimikatz and other open-source software.[4]
Enterprise
OS Credential Dumping: LSASS Memory
In the Triton Safety Instrumented System Attack, TEMP.Veles used Mimikatz.[2]
Enterprise
Scheduled Task/Job: Scheduled Task
In the Triton Safety Instrumented System Attack, TEMP.Veles installed scheduled tasks defined in XML files.[4]
ICS
In the Triton Safety Instrumented System Attack, TEMP.Veles changed phone numbers tied to certain specific accounts in a designated contact list. They then used the changed phone numbers to redirect network traffic to websites controlled by them, thereby allowing them to capture and use any login codes sent to the devices via text message.[1]
ICS
In the Triton Safety Instrumented System Attack, TEMP.Veles’ tool took one option from the command line, which was a single IP address of the target Triconex device.[5]
ICS
In the Triton Safety Instrumented System Attack, TEMP.Veles would programmatically return the controller to a normal running state if the Triton malware failed. If the controller could not recover in a defined time window, TEMP.Veles programmatically overwrote their malicious program with invalid data.[5]
ICS
In the Triton Safety Instrumented System Attack, TEMP.Veles made attempts on multiple victim machines to transfer and execute the WMImplant tool.[4]
ICS
Loss of Productivity and Revenue
In the Triton Safety Instrumented System Attack, TEMP.Veles tripped a controller into a failed safe state, which caused an automatic shutdown of the plant, this resulted in a pause of plant operations for more than a week. Thereby impacting industrial processes and halting productivity.[5]
ICS
Program Download: Program Append
In the Triton Safety Instrumented System Attack, TEMP.Veles downloaded multiple rounds of control logic to the Safety Instrumented System (SIS) controllers through a program append operation.[5]
ICS
In the Triton Safety Instrumented System Attack, TEMP.Veles utilized remote desktop protocol (RDP) jump boxes, poorly configured OT firewalls [1], along with other traditional malware backdoors, to move into the ICS environment.[2][1]
ICS
In the Triton Safety Instrumented System Attack, TEMP.Veles used a publicly available PowerShell-based tool, WMImplant.[4]
ICS
Unauthorized Message: Command Message
In the Triton Safety Instrumented System Attack, TEMP.Veles leveraged Triton to send unauthorized command messages to the Triconex safety controllers.[2]
ICS
In the Triton Safety Instrumented System Attack, TEMP.Veles used valid credentials when laterally moving through RDP jump boxes into the ICS environment.[2]