Someone is targeting "critical infrastructure" safety systems in networked attacks

The Triton malware was first identified 16 months ago by researchers from Fireeye: it targets Triconex control systems from Schneider Electric, and was linked by Fireeye to the Central Scientific Research Institute of Chemistry and Mechanics in Moscow.


Now, Fireeye has published a report on a second instance of Triton being used in the field, this time to attack the safety instrumented systems (SIS) that use software and hardware to prevent power plants, refineries, and other large installations from exploding, venting toxic material, catching fire, etc.


The second example reveals that Triton attacks have been in the works since at least 2014, and surfaced an extensive toolsuite that gives more insight into how Triton's operators function.


The really frightening this about this is SIS targeting: that's the kind of thing that doesn't just shut down plants — it renders them permanently inoperable, and possibly kills some or all of the people in them and near them.


The SIS attacks are a logical progression on Stuxnet and the Russian "sandworm attacks" that got out of control and did $10B damage in 2018.

We now know the first incident wasn’t isolated. There are others. That is especially disconcerting given the danger associated with this threat, which we still know very little about. Though we’ve traced this back to the Russian institute we’re at a loss for explaining the motive here or whether even this is tied to some other country who might be contracting out with the institute.


We are releasing the tools and other information on this actor in the hopes that others will find them and we will all get a better handle on this emerging and disconcerting threat actor. We understand there’s some risk that the actor may go to ground. That may have already happened. After we released the blog on attribution in this case, the institute took operational security measures. They took down some of the information on their website and changed their WHOIS.

Hopefully, this is a first step in a global hunt for this actor that leads to some answers.


Mysterious safety-tampering malware infects a second critical infrastructure site [Dan Goodin/Ars Technica]