Triton: Sophisticated Malware Targeting Industrial Safety Systems

Cybersecurity researchers report that malware dubbed Triton, which is, technically, an attack framework, was used in the attack against industrial safety technology used in oil, gas, nuclear, water, energy, etc. plants for the first time even though it has been active since August 2017. It is not the first malware targeting industrial control systems (ICS) for sure. Stuxnet was the first example of ICS malware back in 2010. It was designed to attack programmable logic controllers. The second malicious program used to disrupt industrial systems was Disakil (it is known to be disk-wiping malware) that was used for the attack in Ukraine back in 2016. Triton, which is already considered a severe threat, is neither the first nor the last malware targeting industrial systems (for the record, it is the fifth known malware targeting ICS), which suggests that it is only a question of time when new similar malicious programs are released and more manufacturing companies are affected.


Triton has been developed to communicate with a specific type of industrial systems. These are called safety instrumented systems, or SIS. SIS is an autonomous system that controls the work of other systems, e.g. robots, motors, factory machinery, etc. and immediately takes action if something unexpected happens, for example, it can shut down the entire production line if something goes wrong. Triton has already caused problems to, at least, one organization, but its name stays unknown. Possibly, it is located in the Middle East, specialists say. As for the attackers who used Triton, nothing is known about them up to this day either, but it is believed that they are state-sponsored.

It did not take long for researchers to find out how Triton works. It has turned out that this malicious application affects controllers of safety instrumented systems through computers with the Windows operating system running on them. These computers are connected to safety instrumented systems. Of course, it first needs to appear on them. It is no longer a secret that it infiltrates these computers masqueraded as Triconex SIS controller management software. According to Symantec, it injects the code that changes the behavior of these SIS controllers the first thing after infiltrating the Windows computer associated with them. Talking about the specific attack that, possibly, took place in the Middle East, it seems that some affected controllers entered the so-called fail-safe mode when attackers tried to reprogram them. As a consequence, related processes were shut down and the attack was spotted. In other words, hackers could not achieve their goals. Researchers at FireEye say that the safe shutdown was initiated “when application code between redundant processing units failed a validation check.”

Let’s get slightly more technical. Research has clearly shown that Triton is quite sophisticated malware. One of the reasons it is called “sophisticated” is the fact that it is spread as a Py2EXE script. You can find all its components listed below:

  • inject.bin – malicious function code
  • imain.bin – malicious control logic
  • trilog.exe – the executable file
  • – the .zip archive containing standard Python libraries, open source libraries, and the Triconex attack framework
  • TS_cnames.pyc
  • TsBase.pyc – a module containing functions called by TsHi.pyc
  • TsHi.pyc –high-level interface
  • TsLow.pyc – an additional module that implements the TriStation UDP wire protocol
  • sh.pyc

Once the payload is inserted into the controller, the countdown is set and the script checks the controller periodically while other activities are performed.

According to specialists, it seems that one of the possible reasons Triton was employed is to cause physical damage, but attackers incidentally shut down the affected plant instead and the attack failed. As a consequence, the attack was spotted and the malware investigation started. Also, it is very likely that hackers tried to learn how to modify safety systems so that new attacks could be carried out in the future. Generally speaking, they did not have money in mind during the attack, unlike a bunch of other hackers distributing malicious applications. It would be too naïve to expect that hackers will not try to launch new attacks using Triton. Specialists say that the recently spotted attack was only a “watershed.”


Dragos. TRISIS Malware: Analysis of Safety System Targeted Malware. Dragos Blog

Johson, B., Caban, D., Krotofil, M., Brubaker, N., and Christopher G. Attackers Deploy ew ICS Attack Framework “TRITON” and Cause Operational Disruption to Critical Infrastructure. FireEye

Pixabay. Free Images.

Symantec Security Response Team. Triton: New Malware Threatens Industrial Safety Systems. Symantec Blog.

Gibbs, S. Triton: Hackers Take Out Safety Systems in ‘Watershed’ Attack on Energy Plant. The Guardian.

Wang, Wei. TRITON Malware Targeting Critical Insfrastructure Could Cause Physical Damage. The Hacker News.