The recently uncovered malware known as “Triton” and “Trisis” was likely developed by Iran and used to target an organization in Saudi Arabia, according to industrial cybersecurity and threat intelligence firm CyberX.
FireEye and Dragos reported on Thursday that a new piece of malware designed to target industrial control systems (ICS) had caused a shutdown at a critical infrastructure organization somewhere in the Middle East.
CyberX has also obtained samples of the malware and based on its threat intelligence team’s investigation, Triton/Trisis was likely created by Iran and the victim was likely an organization in Saudi Arabia.
“It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary,” Phil Neray, VP of Industrial Cybersecurity for CyberX, told SecurityWeek.
“Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches,” Neray added.
FireEye and Dragos would not comment on CyberX’s theory about Triton being developed and used by Iran. FireEye did however note in its report that the methods used were consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.
Triton is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation.
The malware uses the proprietary TriStation protocol to communicate with SIS controllers, and it’s capable of adding new ladder logic that allows the attackers to manipulate devices.
In the attack analyzed by FireEye and Dragos, the hackers’ activities resulted in the SIS controller triggering a process shutdown, which led to the discovery of the attack. However, experts believe the shutdown was likely an accident. One possible scenario is that the attackers were conducting reconnaissance as part of an operation whose ultimate goal was to cause physical damage.
Schneider Electric has published an advisory to inform customers about the incident and provide recommendations on how to prevent potential attacks. The company says there is no evidence that the malware exploits any vulnerabilities in the Triconex product, but it’s still working on determining if there are any other attack vectors.
“I think it’s a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Neray commented. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network — by stealing credentials or connecting an infected laptop or USB, for example — they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
- Critical Baicells Device Vulnerability Can Expose Telecoms Networks to Snooping
- SecurityWeek Analysis: Over 450 Cybersecurity M&A Deals Announced in 2022
- VMware ESXi Servers Targeted in Ransomware Attack via Old Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- GoAnywhere MFT Users Warned of Zero-Day Exploit
Latest News
- Germany Appoints Central Bank IT Chief to Head Cybersecurity
- OpenSSL Ships Patch for High-Severity Flaws
- Software Supply Chain Security Firm Lineaje Raises $7 Million
- ICS Cybersecurity Firm Opscura Launches With $9.4 Million in Series A Funding
- Vulnerability Provided Access to Toyota Supplier Management Network
- Patch Released for Actively Exploited GoAnywhere MFT Zero-Day
- Linux Variant of Cl0p Ransomware Emerges
- VMware Says No Evidence of Zero-Day Exploitation in ESXiArgs Ransomware Attacks
