Cyber experts mark this sophisticated attack as the first reported breach of a safety system at an industrial plant and call it ‘watershed line’ as additional hackers will catch up and try to execute in the future similar attack methods.
Based on the analysis done by FireEye and Dragos, the clear indication is that the TRITON attack was comprised of two files:
- Trilog.exe – masquerade as the legitimate Triconex Trilog application – the main executable leveraging libraries zip.
- library.zip – contained Triconex attack framework and payloads.
Running Trilog.exe file depends on library.zip for execution: once invoked Trilog.exe depends on libraries and binaries contained in library.zip to connect to and reprogram the devices.
How will the ODIX system eliminate this attack?
By setting a policy that does not allow PYC or BIN files to enter the network, ODIX sanitization process would have recursively inspected the file and drop the unauthorized content within the zip file causing the main process to be rendered useless. Thus, if the SIS environment was properly isolated and all files introduced to it would have been sanitized with an effective policy, the attack would have been prevented.
ODI’s files Deep File Inspection process, based on its advanced CDR (Content Disarm and Reconstruction) technology, enables a secure network and to stay ahead of such threats without compromising on system performance and productivity.
ODIX engine checks every single file entering the network, ensuring all files are malware-free and safe to use.
The innovation of ODI’s unique process and its proactive & preventive nature provides the most effective way to block today’s unknown cyberattacks.
Learn more about the 4 defense lines of the ODIX process – here <–