FireEye’s Mandiant spotted, as part of a recent incident response investigation, new malware dubbed Triton that has targeted a critical infrastructure organization.
The Triton malware was built to interact with Triconex Safety Instrumented System (SIS) controllers and manipulate safety systems used to provide emergency shutdown capability for industrial processes.
FireEye reported they believe the activity may be consistent with a nation state preparing for a future attack.
Triton is part of a limited number of malware families that target industrial control systems (ICS). Triton follows Stuxnet used against Iran in 2010 and Industroyer which FireEye believes was used by the Sandworm Team to target Ukraine in 2016. FireEye said that the Triton activity was consistent with previous ICS malware attacks, with objective to prevent safety mechanisms from working and cause severe disruption.
Symantec also posted more information on the Triton threat and said the new malware has been in existence since at least August 2017.
Symantec also reminded readers of the infamous Dragonfly espionage group that took down a number of ICS equipment providers via Oldrea Trojan (aka “Havex”). The company offers IOT Critical System Protection to block known threats.