Triton Threat Group Reappears in Second Critical Infrastructure Facility

Triton Wormed Their Way Into Another Critical Infrastructure, and Possibly Many More…

The advanced hacker group, Triton, was responsible for an attack on a Saudi petrochemical plant in 2017.  The attack would have been successful in destroying the facility, except there was a bug in Triton malware’s coding.

Now, years later, researchers have confirmed finding traces of the Triton group in another critical infrastructure facility.  Triton’s malware is designed to silently hide within a target’s network, taking the time to fully understand how the network looks and how each system is interconnected.  The goal is to quietly gain access to the facilities safety instrumented systems and industrial control systems.  The safety instrumented systems monitor the physical systems to ensure they do not operate outside of their normal operational state.  By learning the ins and outs of the critical safety systems, the hacking group is able to execute their cyber attack without causing the systems to enter into a safe fail-over state. 

Then, once the Triton group deploys the malware, they target the industrial control systems, which control the entire operations of the facility.  By sabotaging these controls, there would be a significant disruption to daily operations, if not generate an entire shutdown of operations.

Triton group’s most recent victim has been very discrete about the incident.  The name of the infrastructure is unknown, as is the type of facility and its location.  What is known is, the attack was found after the malware caused a process to shutdown that led to an investigation.  It is believed this shutdown was unintentional.  Although the motives of the attack have not been confirmed, it is believed Triton was attempting to build the capability to cause physical damage to the facility when the shutdown inadvertently was triggered. 

Due to the slow and steady approach used, there are concerns additional critical infrastructures may be compromised.  In an attempt to catch the hacking group before damage is done, a list of hashes unique to the files found at the second facility has been published.  The hope is, other at-risk facilities will use this hash list to check for any evidence their network files have been compromised. 

5,001 total views, 4 views today

(Visited 1 times, 1 visits today)

10 thoughts on “Triton Threat Group Reappears in Second Critical Infrastructure Facility

  1. Hackers run free because keeping the lights on is not nearly as important as smoke screening Hillary and her violations of the espionage act and certainly much less important that attacking the president. FBI should be deciding the who and how of our federal government, right?

  2. To The Old First Sgt; I work in the energy sector and I can tell you there is more automation and remote control coming. It’s cheaper than paying employees to be based in the field and being pushed by our governing structure.

  3. To Dave King:
    I believe you, 100%! I’m retired now (13 years) but I worked at a plant, too, as a non-instrument, non-computer person. But in conversations with those people, and having my self-taught background, I saw similar weaknesses where I worked. I also had a computer programming person friend there talk to me because he knew I understood. The things he told me just made me shake my head.

  4. I hope they don’t use Huawei’s 5G on their cell phones, then. I believe the Bloomberg report of last October was a proper investigation and reporting of the findings. But what’s wrong with the 5-eyes members that don’t ban Huawei and stay on the safe side, using the precautionary principle?

    That report from Bloomberg is at if you allow links to be posted

  5. Why are hackers running free? Does the government, state or federal, have any laws or penalties for people stealing ID, hacking computers? The email group I post to is about killed, by one person using Mail Chimp to steal people’s ID and cause mayhem in the group, also able to get in our computers and steal our contacts and leave worms and viruses behind. State government’s don’t care, and far as I know there are no penalties for the hackers to do these things. I wouldn’t be surprised if the government itself wasn’t funding some of this hacking. IOW, the government doesn’t want people talking to each other, sharing information and links. I can’t even write to my sister, and she won’t open my email because she says they have viruses. Sometimes I wonder if the antivirus companies themselves are not hacking so as to pick up business for themselves. I don’t trust anybody these days!

  6. With the ongoing pursuits toward AI, this is going to become easier for hackers to accomplish and harder to combat. Instrumentation could benefit, at least temporarily, by deploying a unique OS developed “in-house” and useful only to a particular manufacturer and/or application. Incompatibility to other existing OSs and circuit isolation are probably the only solutions to close the loop.

  7. One day soon, critical infrastructure is going to figure out, they need to get OFF LINE again. Back to dedicated hard line (or perhaps cell) connections, to make us SAFE again, or something horrible will happen.

  8. Industrial controllers are the least-protected OS’s ever coded. As an automation technician with more than 20 years’ experience, I complained long and loud about getting the manufacturing side of my plant’s network off of the external network as a physical barrier to protect the process from hackers. Didn’t do any good as the IT guys were certain their software capabilities were superior to any world-class bad actor or careless employee. To my knowledge, the plant was never hacked but I can tell you, confidently and discreetly, how to easily attack and completely disable an Allen-Bradley system using Wonder Ware as the human/machine interface (HMI) that cannot be easily, if ever, detected. In fact, it would require a complete rewrite using all new controller software and scrubbed HMI PC’s as well as most ordinary PC’s, especially those with supervisor access. The production co$t figure$ would be $eriously ugly…easily upwards from $100M.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.