Triton Malware Still Targeting Energy Firms

The FBIs latest Private Industry Notification warns the energy sector that the group behind Triton is still up to no good.

The global energy sector needs to stay alert for Triton malware, the Federal Bureau of Investigation said in a recent warning.
Triton
(also known as Trisis and HatMan) is designed to cause physical safety systems to cease operating or to operate in an unsafe manner, the FBI says in its Private Industry Notification (
PIN 20220324-001
). The malware was used in a cyberattack in 2017 against a Middle East petrochemical facility. The Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM), a Russian government-backed research institution, is believed to have carried out the attack, and last week the United States Department of Justice
unsealed an indictment against a Russian national
and a TsNIIkhM employee involved in that attack.
In the 2017 attack, Triton targeted a
Schneider Electric Triconex safety instrumented system
(SIS), which initiates safe shutdown procedures in emergency situations. The attacker gained initial access and then moved laterally through the IT and OT networks to get onto the safety system. The malware modified in-memory firmware for Triconex Tricon safety controllers. In a situation where the system would initiate safe shutdown procedures, the fact that the controllers were modified could potentially result in damage to the facility, system downtime, and even loss of life, the FBI says.
TsNIIkhM is believed to still be conducting activities against the global energy sector, the FBI says. Based on the attack framework and malware used in the original Triton incident, a similar attack could be designed against other SIS, the FBI says.
While Schneider Electric fixed the flaw in the Tricon controller, older versions are still in use and remain vulnerable. Potentially affected critical infrastructure asset owners and operators should regularly assess and monitor their SIS systems, watch personnel with access to these systems, and practice contingency plans, according to the FBI warning. The PIN outlines other recommendations, including using a unidirectional gateway for applications that need to receive data from the SIS; implementing change management procedures for safety controller run-state key positions; deploying safety systems on isolated networks; and checking logs from network appliances, webservers, and third-party tools for signs of early stage reconnaissance activity.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Triton Malware Still Targeting Energy Firms