FireEye’s Mandiant spotted new malware called Triton that has targeted a critical infrastructure organization. FireEye discovered the new threat as part of a recent incident response investigation for one if its customers.
The Triton malware was built to interact with Triconex Safety Instrumented System (SIS) controllers and manipulate safety systems. These systems provide emergency shutdown capabilities for industrial processes.
FireEye reported they believe the activity may be consistent with a nation state preparing for a future attack.
Triton is part of a limited number of malware families that target industrial control systems (ICS). Triton follows Stuxnet, malware used against Iran in 2010. In addition, FireEye believed Industroyer was also used by the Sandworm Team to target Ukraine in 2016.
FireEye said that the Triton activity was consistent with previous ICS malware attacks. The primary objective of those attacks was to prevent safety mechanisms from working and cause severe disruption.
Symantec also posted more information on the Triton threat. The cybersecurity company said the new malware has been in existence since at least August 2017.
Symantec also reminded readers of the infamous Dragonfly espionage group that took down a number of ICS equipment providers via Oldrea Trojan (aka “Havex”).
The company also offers IOT Critical System Protection to block known threats.