Triton Malware Still Targeting Energy Firms

The FBI’s latest Private Industry Notification warns the energy sector that the group behind Triton is still up to no good.

The global energy sector needs to stay alert for Triton malware, the Federal Bureau of Investigation said in a recent warning.

Triton (also known as Trisis and Hatman) is designed to “cause physical safety systems to cease operating or to operate in an unsafe manner,” the FBI says in its Private Industry Notification (PIN 20220324-001). The malware was used in a cyberattack in 2017 against a Middle East petrochemical facility. The Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM), a Russian government-backed research institution, is believed to have carried out the attack, and last week the United States Department of Justice unsealed an indictment against a Russian national and a TsNIIkhM employee involved in that attack.

In the 2017 attack, Triton targeted a Schneider Electric Triconex safety instrumented system (SIS), which initiates safe shutdown procedures in emergency situations. The attacker gained initial access and then moved laterally through the IT and OT networks to get onto the safety system. The malware modified in-memory firmware for Triconex Tricon safety controllers. In a situation where the system would initiate safe shutdown procedures, the fact that the controllers were modified could potentially result in damage to the facility, system downtime, and even loss of life, the FBI says. Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *