Triton malware was developed by Iran and used to target Saudi Arabia

Pierluigi Paganini December 16, 2017

CyberX who analyzed samples of the Triton malware believes it was likely developed by Iran and used to target an organization in Saudi Arabia.

Security experts from security firms FireEye and Dragos reported this week the discovery of a new strain of malware dubbed Triton (aka Trisis) specifically designed to target industrial control systems (ICS).

Both FireEye and Dragos would not attribute the Triton malware to a specific threat actor.

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, it caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

According to report published by ICS cyber security firm Dragos, which tracked the threat as “TRISIS”, the victim was an industrial asset owner in the Middle East.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Now, security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Iranian hackers are becoming even more aggressive, but experts always highlighted that they are not particularly sophisticated.

In October, the OilRig gang was spotted using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

In February, researchers at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East.

The espionage campaign dubbed Magic Hound, dates back at least mid-2016. Hackers targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia.

Iran was responsible for destructive attacks on Saudi Aramco systems in 2012.

“We have information that points to Saudi Arabia as the likely target of this attack, which would indicate Iran as the likely attacker. It’s widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we’re talking about critical infrastructure — but it’s also a logical next step for the adversary. Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and TRITON appears to be simply an evolution of those approaches.” said Phil Neray,VP of Industrial Cybersecurity for CyberX.

“There are many Iranian hacking groups that are currently being tracked by security companies, including APT33, APT34, OilRig, etc. As with Russian hacking groups such as Sandworm, it’s not always clear if these groups are part of a government agency or whether they are simply acting as proxies for the government — we simply don’t know. And in the case of TRITON, it could even be an entirely new group that we haven’t seen before.”

According to the experts, the shutdown was likely an accident during the reconnaissance phase conducted by the threat actors whose final goal was the sabotage.

Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.

Schneider published a security advisory to warn its customers, it suggests avoiding leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

According to Phil Neray, OT environments are ‘vulnerable by design’ for this reason they are a privileged target for hackers that could use them as an entry point in industrial environment.

“I think it’s a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Phil Neray told SecurityWeek. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network — by stealing credentials or connecting an infected laptop or USB, for example — they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Triton malware, ICS)

[adrotate banner=”5″]

[adrotate banner=”13″]

APT critical infrastructure Hacking ICS Iran Saudi Arabia Triton malware

Pierluigi Paganini July 30, 2025

FBI seizes 20 BTC from Chaos Ransomware affiliate targeting Texas firms

Pierluigi Paganini July 30, 2025