Was the Triton Malware Attack Russian in Origin?

The conventional story is that Iran targeted Saudi Arabia with Triton in 2017. New research from FireEye indicates that it might have been Russia.

I don't know. FireEye likes to attribute all sorts of things to Russia, but the evidence here looks pretty good.

Posted on October 31, 2018 at 12:44 PM • 13 Comments

Comments

echoOctober 31, 2018 12:59 PM

I'm sceptical of attribution but at the same time undecided/maybe. I read about this a while ago. Re-reading it the only question I have besides motive is could this kind of thing be manufactured from available data on black hat sites and/or black hat activity.

The only other question I haveis why is always Russians (and sometimes Chinese) who get caught?

Actually, another question I suppose is assuming attribution is accurate are there reasons why people are driven to this kind of activity and others are not?

as per the article I read elsewhere Russia is playing a delicate balancing game of forces and it would be odd to risk this. The other issue is the oil production war between Russia and Saudi Arabia with the Russians essentially saying the won't blink if Saudi Arabia attempts to control the market at Russias expense. If I recall this was not a battle Saudi Arabia won?

I'm not expert enough to have a view and wouldn't want to look an idiot by trying.

TylerOctober 31, 2018 1:16 PM

Russians and Chinese aren't the only ones who get caught...North Korea gets caught rather frequently as well. These are the places with the largest state-sponsored offensive hacking programs in the east so it may just be frequency or it may be that these states are easily framed given their reputations.

RealFakeNewsOctober 31, 2018 2:05 PM

Attribution would be funny if it wasn't so serious.

Strange that only Russia/China/NK are ever at fault.

Personally, I don't believe anything like this because it always comes from the same source(s), and does anyone seriously think we don't do the same in return?

Do Russian/Chinese news outlets or research centers ever blame US/UK for anything?

It all stinks of propaganda.

Summary: take anything that matters offline.

vas pupOctober 31, 2018 2:40 PM

@all: King of SA not long ago visited Moscow and met with President and high level officials. He got really king's reception, but now young man looks like in charge.
That statement in article is just partially described balance of forces:"Russia has little incentive to antagonize Saudi Arabia, says Andrea Kendall-Taylor, a former senior intelligence officer currently at the Center for a New American Security think tank. "Moscow's targeting of Saudi Arabia is inconsistent with my understanding of Russia's geopolitical goals," Kendall-Taylor says. "Moreover, Putin probably would like to maintain a good relationship with Saudi to avoid the appearance of entirely siding with Iran." SA with young man/prince of King's family in charge recently tilted towards US, so Russia may have interest to counterbalance this development.
You may not like POTUS manners, but he is right:
"If US canceled weapon deal with SA [as result of journalist murder in Turkey], Russia and China will fill the void." I'd say we should consider all possible multi-vector Russia's geopolitical goals in this very complicated region.
Moreover, Snowden disclose existing tools which could spoof attribution. So, I'll side with @echo's last statement.

GenieOctober 31, 2018 9:01 PM

... industrial control systems ... Middle East. Attackers planted "Triton," a.k.a. "Trisis," with the intent of carrying out a “high-impact attack” against an unnamed company with the goal of causing physical damage, researchers said.

As in "tritium," a suggestion of something nuclear or radioactive. The "goal" of this malware is apparently to damage Iran's uranium-enriching centrifuges. Same as Stuxnet. The researchers don't want to admit they are helping the Iranians fix their centrifuges, in contravention of Obama's "deal."

Are the Israelis behind this malware? And where do the Saudis stand with Sunni vs. Shi`a and all that? Was Iran behind the murder of Khashoggi? Now that sounds like a false flag, all the news media's attention on Saudi Arabia while Iran is still enriching weapons-grade fissile uranium.

TomOctober 31, 2018 9:53 PM

@vas pup

> "If US canceled weapon deal with SA [as result of journalist murder in Turkey], Russia and China will fill the void."

No, they won't, at least not for a long, long time. An army is built around weapon systems that require supply chains and training and many other finicky details to keep them operating. An army doesn't change one system out for another overnight. The Saudis have built their army around our systems. They won't throw that investment away. They can't afford to.

Iran is still flying F-14 Tomcats purchased from the U.S. in the 1970s.

Clive RobinsonOctober 31, 2018 10:45 PM

@ Bruce,

I don't know. FireEye likes to attribute all sorts of things to Russia, but the evidence here looks pretty good.

I don't know either and FireEye as you note like to follow what ever the US current Existential Threat is when it comes to the "Gang of four" China / Iran / North Korea / Russia.

The first questions to ask are "Means, Motive, and Opportunity". When it comrs to "things cyber" all four are assumed to have not just the means but opportunity as well, which just leaves us Motive as a differentiator.

However whilst "follow the money" would be the next logical question for criminals state level large corporates you have to look for other Motives.

The reason is you are dealing with moderatly intelligent entities who can and will use misdirection for gains in non-monetary directions.

Russia has been under US driven focus now for a lot longer than any other of the gang of four has in the past. Potentially they could have faked up the attack to take preasure off of them and destabilize Iran at the same time. We know the CIA had tools to do exactly this kind of misattribution so it's not unreasonable to assume most of the more prominent nations IC does.

We also know that Russia started the first "Proxie Wars" shortly after WWII. Saudi and the House of Saud are quite important to the US in many ways, having a pop at them is almost the same as having a pop at Israel or the US it's self.

But certain people in the US see the Middle East being "destabalised" as advantageous, which is why we are seeing some of the treaties the US is trying to get out of effecting Iran.

Thus it's easy to see how you can get into a hall of mirrors with much in the way of coloured smoke, to confuse and bamboozle...

Which is why I would be naturally suspicious of what appear to be snap judgements.

WeatherOctober 31, 2018 11:49 PM

I think Iran and China wouldn't do it, north Korea has there own world and Russia knows enough of that stuff, I'm pretty sure there isn't any substance in the last months post, but as a defense measure might be good to comment

IsmarNovember 1, 2018 3:42 AM

This is like arguing about a projectile fired by Iran using a Russian made arms system was Iranian or Russian in origin.
These software-based weapons are no different to their hardware equivalents in their intended goals and as such all other analogies apply as well.

littleknownNovember 1, 2018 3:23 PM

The big fours are the ones that ever get caught. So at least this much is certain that the big fours are into cyber offense. It is difficult to imagine that if any country on the earth has a capability, the US wouldn't (and by extension, the five eyes).
Of the forty odd APTs that FireEye tracks, none of them is attributed to US? Not even Kaspersky has the balls to release a report which implicates the US.

Doesn't US have any offensive capabilities? Snowden docs indicate otherwise. So if security vendors are shying away from reporting the US capabilities, it affects their credibility.

lesserknownNovember 2, 2018 10:36 AM

@littleknown - Kaspersky regularly reports on US activity. See equation group/slingshot/etc. I'm sure Chinese vendors do, too.

@everyone else - China/Russia/Iran/NK are reported the most because they are the most capable actors taking on high-value western targets. When high-value western targets are hacked, they hire high-dollar western security firms. CRIN are not the only players (these firms report on Lebanon, Vietnam, and others), but they ARE the loudest players in vendor sightline.

And sure, it's possible that we'll see an elaborate misattrib campaign. But it's a lot harder than it sounds, and 9 times in 10 these attacks simply aren't much of a mystery. If NSA stole US Steel intellectual property, I'll eat my shoe.

If it looks like a duck, quacks like a duck, hacks targets in-line with the Five-Year Plan of a duck, it's reasonable to believe we're looking at a duck.

Sancho_PNovember 2, 2018 1:34 PM

To sell cyber security you need a customer.
To sell cyber security in the billions you need a very potent customer.
- Who could be your valued customer?
Next is the customer must be hot - really hot.
Now, where could poor SA buy cyber security from? Russia? China?

- Gosh, is this @Bruce over there, riding the camel?

*** Who is next to shave? ***
Oh, the Americans, welcome!

No, security is an error, we need more offense capabilities to defend our business.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.