TRITON malware was first identified during an attack on a Saudi Arabian petrochemical plant facility in the year 2017 and it targets Schneider Electric’s Triconex Tricon controllers. This was the first time in history that safety instrumented systems were targeted with the intention to fail, potentially leading to serious damage to property and humans.

TRITON’s toolbox contains eleven of the fourteen tactics mapped by MITTRE ATT&CK Matrix for Enterprise, the universally renowned knowledge base of adversary tactics and techniques based on real-world observations. In this, 7th part of the TRITON posts, the Collection technic is presented.

In the MITTRE ATT&CK Enterprise matrix, Collection consists of techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives. Frequently, the next goal after collecting data is to steal (exfiltrate) the data. Common target sources include various drive types, browsers, audio, video, and email. Common collection methods include capturing screenshots and keyboard input.

Next week, we will present the Command and Control techniques of the TRITON malware.

About this article

This article was based on a Cybersecurity Advisory by CISA. You can read the full CSA here.

The Lateral Movement description came from the MITTRE ATT&CK website here.

Related posts

Add a comment