The attackers who launched TRITON, a notorious industrial-system-focused malware only known to have been used once, have struck a second target, according to researchers at FireEye presenting at the Kaspersky Lab SAS Summit in Singapore.
Why it matters: FireEye was the first to discover TRITON, which startled researchers by amassing an uncommon amount of control over industrial systems. Due to a mistake in the attack, it inadvertently led to a plant shutdown and nearly caused a deadly explosion. While no one expected TRITON to be a one-time affair, its resurgence is jarring.
Background: The victim of the first attack was not identified by FireEye, but a harrowing account of the attack in E&E News revealed it to be the Petro Rabigh refinery in the Red Sea.
- FireEye later attributed the design of components of the TRITON malware to a research institute in Moscow.
Details: The new victim, also not identified by FireEye, revealed the use of hacking tools not seen in the first attack.
- The tools appear to date from as far back as 2014, though FireEye has never seen them in use in the past.
- FireEye reported indicators and recommended techniques defenders can use to identify and thwart future TRITON attacks.
- "[W]e strongly encourage industrial control system (ICS) asset owners to leverage the indicators, TTPs [tactics, techniques and procedures], and detections," FireEye wrote in its official report.
