Stories

Second target hit by notorious TRITON malware

Triton
Statue of Triton, son of Neptune, Nicola Salvi's Trevi Fountain, Italy. Photo: DeAgostini/Getty Images

The attackers who launched TRITON, a notorious industrial-system-focused malware only known to have been used once, have struck a second target, according to researchers at FireEye presenting at the Kaspersky Lab SAS Summit in Singapore.

Why it matters: FireEye was the first to discover TRITON, which startled researchers by amassing an uncommon amount of control over industrial systems. Due to a mistake in the attack, it inadvertently led to a plant shutdown and nearly caused a deadly explosion. While no one expected TRITON to be a one-time affair, its resurgence is jarring.

Background: The victim of the first attack was not identified by FireEye, but a harrowing account of the attack in E&E News revealed it to be the Petro Rabigh refinery in the Red Sea.

  • FireEye later attributed the design of components of the TRITON malware to a research institute in Moscow.

Details: The new victim, also not identified by FireEye, revealed the use of hacking tools not seen in the first attack.

  • The tools appear to date from as far back as 2014, though FireEye has never seen them in use in the past.
  • FireEye reported indicators and recommended techniques defenders can use to identify and thwart future TRITON attacks.
  • "[W]e strongly encourage industrial control system (ICS) asset owners to leverage the indicators, TTPs [tactics, techniques and procedures], and detections," FireEye wrote in its official report.