This post was originally published on this site is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to

Triton malware

Security researchers from FireEye’s Mandiant investigative division have spotted a new form of malware that’s capable of targeting industrial equipment.

FireEye named this malware TRITON and said they’ve spotted a threat actor deploying it in live attacks.

According to a report seen by Bleeping Computer before publication, the new TRITON malware was specifically built to interact with Triconex Safety Instrumented System (SIS) controllers.

SIS controllers are special equipment installed in production lines and other industrial setups. They work by reading data from industrial equipment, such as factory machinery, robots, valves, motors, and others. SIS controllers read data streams and make sure the industrial equipment works between certain parameters. If data deviates from a predetermined safety margin, the SIS controller takes a set of actions, which in extreme cases can shut down an entire factory or production line, but will protect human lives and equipment.

TRITON malware targets Triconex SIS controllers

FireEye researchers say that a threat actor had targeted a company with TRITON malware that was disguised to look like legitimate Triconex SIS controller management software for Windows workstations.

The malware hidden inside this fake software would read the configuration files it found on the infected SIS engineering workstation, identify SIS controllers, and attempt to deploy certain payloads.

The payloads were configured to either shut down the production process or allow SIS-controlled machinery to work in an unsafe state, most likely to trigger physical damage.

TRITON malware modus operandi

FireEye: Nation-state actor most likely behind TRITON

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations,” the FireEye team says.

“FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state,” researchers say.

“The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor.”

But researchers have not pointed any fingers at any specific country, nor did they reveal who was the victim of this attack, in what country or industry vertical the company operated.

TRITON is an advanced piece of coding

Instead, FireEye repeatedly points out in its report that the attackers were highly skilled and came prepared to wreak havoc.

The first clue is that attackers deployed TRITON right away after gaining access to an SIS engineering workstation with access to SIS controllers. Experts say this means the group behind TRITON had pre-built and tested the malware beforehand and came prepared to inflict immediate damage.

Second, the malware included a mechanism to cover its tracks on SIS controllers and remove any clues the device was tampered with.

Third, the threat actor infected an SIS engineering workstation, a PC usually behind DMZ, on an isolated network.

These are the reasons why FireEye believes this is not the work of an accidental hack or rival saboteur, but of a nation-state actor.

“The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors,” researchers said.

“Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency,” the FireEye team said, hinting that this could have also been a live field test for a more sinister attack.

ICS attacks detected more and more frequently

Previous strains of ICS (Industrial Control Systems) malware used in live attacks include the likes of Industroyer and BlackEnergy (deployed in Ukraine), Sandworm (deployed in the US), and Stuxnet (deployed in Iran).

In September, Symantec warned that a nation-state group named Dragonfly had ramped up operations against US and European energy firms.

UPDATE: The FireEye report on the TRITON malware is now live, here.

At L Technology Group, we know technology alone will not protect us from the risks associated with in cyberspace. Hackers, Nation States like Russia and China along with “Bob” in HR opening that email, are all real threats to your organization. Defending against these threats requires a new strategy that incorporates not only technology, but also intelligent personnel who, eats and breaths cybersecurity. Together with proven processes and techniques combines for an advanced next-generation security solution. Since 2008 L Technology Group has develop people, processes and technology to combat the ever changing threat landscape that businesses face day to day.

Call Toll Free (855) 999-6425 for a FREE Consultation from L Technology Group,