ICS-TRISIS-TRITON-HATMAN

This repository contains original samples and decompiled sources of malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers. For more information scroll to "Learn More". SIS controller applications! Emergency shutdown (ESD) Turbine control (TMC) Boiler management System (BMS) Offshore fire & gas protection (F&G) Nuclear Any critical process

What is Safety Integrity Level (SIL)? The internationally recognized safety standards fall into different buckets, which can be an issue. ISA 84 and IEC 61508/61511 are the safety standards.

Triton

TRITON is one of the few publicly known examples of malware targeting Industrial Control Systems (ICS), after Stuxnet, Havex, Blackenergy2 and Industroyer, and the first publicly known example of malware targeting industrial safety controllers specifically.

TRITON does not leverage any 0-days but instead reprograms the target safety controllers via the TriStation protocol ) which lacks authentication.

As the TriStation protocol is proprietary and undocumented this means the attacker had to reverse engineer it, possibly through a combination of using similarities with the documented Triconex System Access Application (TSAA) protocol.

By default, Ethernet communications for TSAA take place over UDP port 1500 while those for TriStation take place over UDP port 1502.

The Triconex controllers have a physical four-position key switch which can be set to either RUN - PROGRAM - STOP or REMOTE.

TRITON Framework

TRITON Framework - The framework is written in Python and consists of the following components:�TS_cnames.py: TsHi.py: TsBase.py: - TsLow.py:

The payload used in the incident can be thought of as a four-stage shellcode.�-- Stage 1: Argument-Setter (PresetStatusField)�--Stage 2: Implant Installer (inject.bin)�--Stage 3: Backdoor Implant (imain.bin)�--Stage 4: Missing OT Payload ��