Triton: Malware That Aims to Attack Industrial Safety Systems

Triton Trojan modifies safety instrumented systems to threaten human lives

Experts of FireEye have spotted a new dangerous malware currently known as Triton or Trisis. It mainly targets to infect safety instrumented systems (SIS) which are responsible for preventing industrial accidents and protecting human lives in the plant^[1].

While there is still no reliable information which specific factory Triton has compromised or even in which country it appeared, it is clear that its primary target is Triconex products developed by the well-known Schneider Electric company^[2]. They are widely used in nuclear energy, oil, gas, and some manufacturing facilities.

Schneider's equipment is designed to monitor the industrial processes and detect potential dangers in the work environment. Safety instrumented systems protect humans from physical harms, chemical leaks or explosions.

It is clear that any attempt to modify their codes might consequently put factory workers at risk. Thus, experts classify Triton as one of the most dangerous malware present today.

The peculiarities of Triton malware attack

The criminal(s) accessed SIS workstation operating on Windows OS remotely and installed the Triton Trojan. It comes in two files named as trilog.exe and library.zip. The latter is used to connect and contact the attackers, while the former is the main executable utilizing .zip file.

According to the analysis of FireEye technicians, Triton's filename was created to imitate the legitimate Triconex application and hide itself. Besides, the experts note that^[3]:

Along with the executable, two binary files, inject.bin (malicious function code) and imain.bin (malicious control logic), were deployed as the controller’s payload. These file names were hard coded in the Py2EXE compiled python script.

During the attack, several SIS machineries went to a failed safe state and prompted further investigation. According to the specialists, there was no damage made:

The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check — resulting in an MP diagnostic failure message.

Additionally, malware analysts say that the controller of Triton aimed to develop an ability to cause physical damage in the long run. It is because the attacker focused on continuing compromising SIS systems rather than shutdown or manipulating the process of the plant^[4].

Triton virus: Not the first attack on industrial control systems

While Triton virus is the first to target SIS controllers, there are similar hazards which were targeting industrial facilities as well^[5]. One of the best examples would be Stuxnet malware which also aimed to modify ICS, more specifically programmable logic controllers (PLC) in Iran's nuclear program.

The further noticeable threat was Oldrea Trojan, also known as Havex. It was developed by The Dragonfly group to threaten ICS similarly like the previous malicious programs.

Since it seems that the attackers are following the path which might cause potential physical danger to the factories, SIS users are advised to take every precautionary measure to avoid Triton attack.