In Brief: TRITON, a piece of malware more worrying than Stuxnet

Date : May 07, 2018

TRITON (also known as TRISIS or Hatman) is a piece of malware discovered in late 2017 that attacks the Schneider Electric's Triconex safety controllers. It is now considered as a major event for the industrial systems community, as Stuxnet was in 2010. First it was revealed in March 2018 (see this New York Times article) that TRITON was probably designed to cause a major incident on petrochemical plant in Saudi Arabia and that this incident would probably have resulted in the deaths of men. Analysts at that time indicated that Iran was the most likely suspect. In late May 2018, Dragos company (see this Twitter comment) and the CyberScoop.com news site (see this article) announced that this attack was not an isolated case, and that similar attacks attempts, by the same group of attackers (which Dragos named "Xenotime") had also been detected on industrial platforms in the United States. This time the attack was apparently not against Triconex devices, but against other industrial safety systems.

This is very alarming because targeting safety systems means that the attacker is trying to cause an industrial incident. A major milestone has thus been reached in terms of risks for cyber-attacks targeting the industrial systems.

Note: TRITON is described by Cert-IST in the CERT-IST/ATK-2017.153 attack datasheet.

Previous Previous Next Next Print Print