The attackers are expanding their targets and new variants are able to attacks also other than Schneider Electric’s Triconex systems.
The malware was first spotted in December 2017 by researchers at FireEye that discovered that it was specifically designed to target industrial control systems (ICS) system.
Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.
The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.
TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.
According to experts at Dragos, threat actors have been around since at least 2014, they were discovered in 2017 after they caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.
Dragos researchers warn of new cyber attacks powered by the same group against organizations globally.
“Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential future disruptive or even destructive event,” states Dragos Security. “Compromising safety systems provides little value outside of disrupting operations. The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As Xenotime matures, it is less likely that the group will make this mistake in the future.”
Experts at Dragos have published a collection of reports related to threat groups targeting critical infrastructure, the first one was on the activities of the Russia-linked Allanite group.
Summary info on threat actors will be made available through an Activity Groups dashboard, but users interested in the full technical report need to pay it.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Triton Malware, Xenotime)
[adrotate banner=”5″]
[adrotate banner=”13″]
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.