Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:13 PM
Connect Directly

TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage

TRITON malware is discovered after an attack on a safety monitoring system accidentally triggered the shutdown of an industrial process at an undisclosed organization.

Cyberattacks that cause physical damage to critical infrastructure—like the Stuxnet campaign that destroyed nearly 1,000 centrifuges at an Iranian uranium enrichment facility in 2010—have been relatively rare because of how difficult they are to carry out. That may be changing.

A threat actor with possible nation-state backing recently disrupted operations at a critical infrastructure facility when trying to reprogram a system used for monitoring the safety of industrial systems (ICS) at the location, using custom malware.

The incident, described in a report from FireEye this week, is one of few in recent years involving the use of a tool specifically developed to exploit weaknesses in industrial control systems. The only other publicly known examples are Stuxnet and Industroyer, a malware sample used by the Russia-backed Sandworm Team to attack Ukraine's electric grid last year.

FireEye, which investigated the latest incident, did not disclose the identity of the targeted organization or its location. But comments from two other security vendors—Symantec and CyberX—Thursday suggest the victim is based in the Middle East, possibly Saudi Arabia.

"We’re sharing this information in the hopes that operators will take action to improve their security," says John Hultquist, director of intelligence analysis at FireEye. "It is very concerning that the attacker targeted a safety system which is in place to protect people, the environment, and the equipment at the facility," he says.

FireEye said its Mandiant unit was recently called in to investigate an incident in which an attacker had deployed malware for manipulating systems that provided an emergency shutdown capability for industrial processes at the plant.

Mandiant's investigation led to the discovery of TRITON, a malware tool designed to modify the behavior of a so-called Triconex Safety Instrumented System (SIS) from Schneider Electric. Many industrial plants use SIS to independently monitor critical systems to ensure they are working within acceptable safety thresholds and to automatically shut them down when those thresholds are exceeded. TRITON was disguised as a legitimate application used by Triconex SIS to review logs.

In the incident that FireEye reported this week, the attacker apparently managed to gain remote access to a Triconex SIS workstation running Windows and installed TRITON on it in a bid to reprogram application memory on SIS controllers. During that process, some of the SIS controllers entered a failed safe mode that prompted an automatic shutdown of the industrial process, according to FireEye.

The shutdown appears to have been triggered inadvertently. But the broader goal itself seems have been to try and find a way to cause physical damage to plant equipment by reprogramming the SIS controllers.

Such a compromise would have allowed the attacker to manipulate the SIS so it would allow an unsafe condition to persist and cause system failures. Or the attacker would be able to use the compromised system to trigger incessant shutdowns through false alarms.

In an advisory, Symantec said it was aware of TRITON targeting SIS since at least this September. It works by infecting Windows systems that could end up being connected to a SIS workstation or device. "The malware then injects code modifying the behavior of the SIS device." Symantec said the company is still investigating the kind of damage that TRITON can do, but noted the malware has the potential to create severe disruptions at targeted organizations.

Several clues suggest a nation-state actor is behind the attack, FireEye said. For one thing, the attackers did not appear motivated by monetary gains at all and appeared interested in a high-impact attack via the SIS. TRITON was deployed almost immediately after the attacker had gained access to the SIS, indicated the tool had already been developed and tested on proprietary equipment and tools not normally available to common cybercriminals.

Phil Neray, vice president of industrial cybersecurity at CyberX, said the company has evidence pointing to Saudi Arabia as the likely target of the attack, which would make Iran a potential attacker. Iran is believed responsible for an attack on Saudi Aramco a few years ago, which destroyed thousands of PCs.

FireEye refused to divulge how the attackers might have gained access to the workstation, citing client confidentiality. But the company noted that ideally, safety instrumented systems must be segregated from process control and information system networks.

Over the past few years, many organizations have integrated these systems with other distributed control systems (DCS) that give human operators a way to monitor and manage critical systems. TRITON highlights the kind of risk that organizations run when allowing communication between DCS and SIS networks, FireEye noted.

"There have been several recent incidents where we have found Russian, Iranian, and North Korean hackers seeking to compromise industrial control systems with the ultimate goal of preparing for an attack at the time of their choosing," Hultquist says.

Recently, there have been multiple incidents when Russian actors have been found in nuclear systems and utility companies in the US and Europe. North Korea too has been making attempts to breach US critical infrastructure.

"This shutdown, however accidental, demonstrates the danger of these efforts," Hultquist notes. "An adversary probing these critical systems can make a mistake that can have much larger consequences."

Related content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/25/2019 | 10:53:56 AM
Triton Resolution
Powershell block port 39929

Write-Host " "
Write-Host "Block Triton ICS Port 39929"
Write-Host "-------------------------------"

$Name = "Triton-ICS-Attack-Port-39929"
$Triton = (Get-NetFirewallRule -DisplayName $Name)
$TPort = (Get-NetFirewallrule -DisplayName $Name | Get-NetFirewallPortFilter).LocalPort
if ( ( ($Triton).DisplayName -eq $Name) -And ($TPort -eq 39929) ) {
    Write-Host $Name "exists - ok"
} else {
    New-Netfirewallrule -Action Block -Enabled True -Direction Inbound -LocalPort 39929 -RemoteAddress Localsubnet -Name $Name -Profile Any -Protocol TCP -DisplayName $Name -RemotePort Any -Description "Triton-ICS-Attack-Port-39929"
    Get-NetFirewallRule -Name $Name

Antivirus Entry - Go to antivirus and program the software to look for "imain.bin, inject.bin and trilog.exe". Also, I recommend using Comodo HIDS or other software solutions that initiate system baselines. If the system identifies any changes, then the application would stop the file from executing if it was considered nefarious. 

From a linux standpoint:

iptables -I INPUT 1 -p tcp -m multiport --dport 39929 -m conntrack --ctstate NEW,ESTABLISHED -j DROP (iptables FW that tracks and Drops the port)


ufw allow in proto tcp from to port 39929 comment "Triton Blocked Port" (UFW Firewall Entry)

Download chkrootkit and/or rkhunter on the Linux/Unix machines to help find this potential problem.

Todd S,
Enterprise Architect
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.