xorl %eax, %eax

OPSEC fail: Triton ICS malware

leave a comment »

This was a pretty nasty OPSEC failure that happened about two months ago. And it all started with one of my favourite threat hunting platforms, VirusTotal. Basically, the failure is nothing more than this, someone uploaded this targeted malware on VirusTotal and this is how it got leaked. So, this post will not focus that much on the malware but on its OPSEC failure side.



The above photo includes some of the products of SIS (Safety Instrumented Systems). SIS’ ICS devices is the target of this, now public, malware which is known as Triton or Trisis. If you want to fully understand what this malware does I suggest you to study the following.

What is important for this post is the operational security side of things. Like many others, I personally use online sandbox services like VirusTotal for threat hunting but not only for new malware samples, but also for non-malicious documents that include sensitive information. This is a common technique but many professionals tend to forget it. So, what can you do about it?

A few easy steps that you can employ to protect your organization are the following.

  • During the interview process (or awareness training) assess the OPSEC understanding of your employees. For example, if someone describes an analysis using some online or cloud tool ask “what is the risk of using this tool for the analysis?”. Basically, make them think twice before submitting anything outside the organization’s network.
  • Use endpoint solutions and perimeter application level firewalls to allow access to sharing platforms only to employees that need it for their work. This will limit the potentially unintended leaks.
  • For the day-to-day detection operations, deploy scrapers that will be hunting for your IP (Intellectual Property) on online sharing platforms. Check for example Huginn.
  • To effectively respond to those incidents, watermark your high value information so that they can be traced back easily.

Triton/Trisis was a valuable piece of code that some organization lost due to bad OPSEC. Don’t make the same mistakes. :)

Written by xorl

February 4, 2018 at 11:58

Posted in opsec

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s