Triton malware

Security researchers from FireEye's Mandiant investigative division have spotted a new form of malware that's capable of targeting industrial equipment.

FireEye named this malware TRITON and said they've spotted a threat actor deploying it in live attacks.

According to a report seen by Bleeping Computer before publication, the new TRITON malware was specifically built to interact with Triconex Safety Instrumented System (SIS) controllers.

SIS controllers are special equipment installed in production lines and other industrial setups. They work by reading data from industrial equipment, such as factory machinery, robots, valves, motors, and others. SIS controllers read data streams and make sure the industrial equipment works between certain parameters. If data deviates from a predetermined safety margin, the SIS controller takes a set of actions, which in extreme cases can shut down an entire factory or production line, but will protect human lives and equipment.

TRITON malware targets Triconex SIS controllers

FireEye researchers say that a threat actor had targeted a company with TRITON malware that was disguised to look like legitimate Triconex SIS controller management software for Windows workstations.

The malware hidden inside this fake software would read the configuration files it found on the infected SIS engineering workstation, identify SIS controllers, and attempt to deploy certain payloads.

The payloads were configured to either shut down the production process or allow SIS-controlled machinery to work in an unsafe state, most likely to trigger physical damage.

TRITON malware modus operandi

FireEye: Nation-state actor most likely behind TRITON

"We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations," the FireEye team says.

"FireEye has not connected this activity to any actor we currently track; however, we assess with moderate confidence that the actor is sponsored by a nation state," researchers say.

"The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor."

But researchers have not pointed any fingers at any specific country, nor did they reveal who was the victim of this attack, in what country or industry vertical the company operated.

TRITON is an advanced piece of coding

Instead, FireEye repeatedly points out in its report that the attackers were highly skilled and came prepared to wreak havoc.

The first clue is that attackers deployed TRITON right away after gaining access to an SIS engineering workstation with access to SIS controllers. Experts say this means the group behind TRITON had pre-built and tested the malware beforehand and came prepared to inflict immediate damage.

Second, the malware included a mechanism to cover its tracks on SIS controllers and remove any clues the device was tampered with.

Third, the threat actor infected an SIS engineering workstation, a PC usually behind DMZ, on an isolated network.

These are the reasons why FireEye believes this is not the work of an accidental hack or rival saboteur, but of a nation-state actor.

"The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors," researchers said.

"Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency," the FireEye team said, hinting that this could have also been a live field test for a more sinister attack.

ICS attacks detected more and more frequently

Previous strains of ICS (Industrial Control Systems) malware used in live attacks include the likes of Industroyer and BlackEnergy (deployed in Ukraine), Sandworm (deployed in the US), and Stuxnet (deployed in Iran).

In September, Symantec warned that a nation-state group named Dragonfly had ramped up operations against US and European energy firms.

UPDATE: The FireEye report on the TRITON malware is now live, here.

UPDATE 2: Security firm Dragos also released a report on TRITON, which the company calls TRISIS. The report is available here, and according to Dragos, the malware was used against a company located in the Middle East.

UPDATE 3: Symantec has published its own analysis on TRITON, here.

Related Articles:

Seedworm Spy Gang Stores Malware on GitHub, Keeps Up with Infosec Advances

New Cannon Trojan Is the Latest Asset of Sofacy APT Group

Adobe Fixes Zero-Day Flash Player Vulnerability Used in APT Attack on Russia

Emotet Banking Trojan Loves U.S.A Internet Providers

State-Sponsored Actors Focus Attacks on Asia