ICS-CERT Updates HatMan Attack Report

Yesterday the DHS ICS-CERT updated their Malware Analysis Report on the HatMan ( or TRITON or TRISIS depending on which analysis you are looking at) attack on a Schneider  Triconex Tricon safety shutdown system installation in Saudi Arabia. While this is labeled as an ‘update’ it is closer to a complete re-write of the original document. The new information comes from a joint investigation by ICS-CERT and Schneider.

This is a technical report about the processes involved in the HatMan malware. It does include a mention of how the newly reported Schneider Triconex vulnerabilities were used by the malware. I will leave to more technically qualified personnel the task of reviewing the technical information provided in the report.

Having said that, there is one important point made about the operation of the malware on page 16. Under section 5.3.5 the report states:

“This code is run when the compromised TS protocol command is received and provides RAT-like functionality. Most importantly, it allows an actor to read and write memory—including within the in-memory firmware region—and execute arbitrary code regardless of the key switch position, including “RUN.” This allows an actor to effect changes on the controller while it is in full operation, not just while it is being reprogrammed.”

This may be the critical portion of the malware because it bypasses one of the primary protections designed into safety instrumented systems, essentially the manual safety switch. This type of protection is used in a number of control system elements (particularly PLCs) and is supposed to provide a level of control over the reprogramability of the devices. Being able to subvert this control re-emphasizes the ‘insecure by design’ nature of PLCs in particular. It is not clear from this report whether the techniques used in the HatMan malware against the Triconex devices would be adaptable to overcoming this safety switch feature in other systems.

Section 7 of the report, “Detection/Mitigation”, is well worth reading as a stand alone document. The statement about Yara rules, a standard detection tool advocated by ICS-CERT in many instances, should be read and memorized by researchers as a caution about relying on any specific tool:

“This is not a reliable method for detection, as the files may or may not be present on any workstation, and such a rule cannot be used on a Tricon controller itself; however, it could be useful for detection with agent-based detection systems or for scanning for artifacts.

And the final paragraph is probably the best summation of the current state of control system security that I have seen:

“Ultimately, the best mitigation strategy for this malware—and others of the same sort—is to employ defense in depth and follow any relevant best practices. Rather than solely attempting to protect vulnerable targets—such as the Triconex devices targeted by HatMan—one prevents an attacker from ever reaching them.”