Malware analysis

Triton Malware Hits Critical Infrastructure in Saudi Arabia

Pierluigi Paganini
December 18, 2017 by
Pierluigi Paganini

Security experts at FireEye discovered a new piece of malware, tracked as Triton, that is specifically designed to target industrial control systems (ICS).

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization in Saudi Arabia, the nature of the target and the lack of financial motivation (i.e., extortion) suggest the involvement of a nation-state actor.

Researchers from security firm Dragos also spotted the malware in the wild and analyzed it, the findings of its investigation were made public in an interesting report.

While Dragos avoided attributing the attack to a specific entity, FireEye speculates the activity observed is consistent with many attacks and reconnaissance activities carried out globally previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

The experts speculated the activity they observed was part of the reconnaissance phase, likely the threat actor was developing a sabotage capability and inadvertently triggered shutdown operations.

This is very important, because a few hours later, another cyber firm linked the malware to a specific government, but the attribution was criticized by some cybersecurity experts.

Authors of the Triton malware aimed to target Schneider Electric's Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

"Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes," reads the analysis published by FireEye.

"We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers."

Figure 1 - Triconex Safety Instrumented System

According to FireEye, the attacker gained remote access to an SIS engineering workstation; then they deployed the TRITON malware to reprogram the controllers, a circumstance that indicates that attackers had a deep knowledge of such systems.

The attackers targeted a Windows-based engineering workstation; the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.

This implies the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available.

During this phase of the attack, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset operator to investigate the incident.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, a circumstance that suggests the attackers reverse engineered the protocol to carry out the attack.

The Triton malware interacts with Triconex SIS controllers; it can read and write programs and functions to and from the controller.

"TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite," continues FireEye.

"The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers. Along with the executable, two binary files, inject.bin (malicious function code) and imain.bin (malicious control logic), were deployed as the controller's payload. These file names were hard coded in the Py2EXE compiled python script."

Figure 2 - ICS Reference Architecture (FireEye Report)

The attack against an SIS controller is very dangerous; once it has been compromised, the attacker can reprogram the device to trigger a safe state with a severe impact on the operations of the targeted environment. Attackers could also reprogram the SIS controller to avoid triggering actions when parameters assume dangerous values.

"The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups," continues FireEye.

"If the SIS and DCS controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g., rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations."

Schneider Electric promptly launched an investigation to discover if the threat actors exploited any vulnerability in the Triconex product. The advisory confirms that Triton requires the key switch to be in the "PROGRAM" mode to deliver its payload.

The company published a security advisory to warn its customers and suggest mitigation actions. It suggests avoiding leaving the front panel key position in "Program" mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

"Schneider Electric is aware of a directed incident targeting a single customer's Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack," reads the security advisory.

"The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the key switch to be in the 'PROGRAM' mode to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers."

The SIS threat model

Attacks against ICS are usually disruptive, attackers aim to destroy operation processes, but to do this they need a deeper engineering knowledge of the industrial process being controlled.

Researchers at FireEye provided some useful highlights for the SIS threat model, once an attacker compromised an SIS, it has the following attack options:

Attack Option 1: Use the SIS to shut down the process

  • The attacker can reprogram the SIS logic to cause it to trip and shut down a process that is in a safe state. In other words, trigger a false positive.
  • Implication: Financial losses due to process downtime and complex plant startup procedure after the shutdown.

Attack Option 2: Reprogram the SIS to allow an unsafe state

  • The attacker can reprogram the SIS logic to allow unsafe conditions to persist.
  • Implication: the Increased risk that a hazardous situation will cause physical consequences (e.g., impact to equipment, product, environment, and human safety) due to a loss of SIS functionality.

Attack Option 3: Reprogram the SIS to allow an unsafe state – while using the DCS to create an unsafe state or hazard

  • The attacker can manipulate the process into an unsafe state from the DCS while preventing the SIS from functioning appropriately.

Implication: Impact to human safety, the environment, or damage to equipment, the extent of which depends on the physical constraints of the process and the plant design.

According to Dragos, compromising the security of an SIS does not necessarily compromise the safety of the system.

"Safety engineering is a highly specific skill set and adheres to numerous standards and approaches to ensure that a process has a specific safety level. As long as the SIS performs its safety function the compromising of its security does not represent a danger as long as it fails safe," reads the report.

The attribution

As anticipated, both security firms FireEye and Dragos that analyzed samples of the Triton malware avoided to link it with a specific state.

Security experts at CyberX who investigated the incident pointed out that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

"It's widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we're talking about critical infrastructure -- but it's also a logical next step for the adversary," Phil Neray, VP of Industrial Cybersecurity for CyberX, told SecurityWeek.

"Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches."

According to Neray, OT environments are 'vulnerable by design' for this reason they are a privileged target for hackers that could use them as an entry point in the industrial environment.

"I think it's a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product," Phil Neray told SecurityWeek. "OT environments are 'vulnerable by design' because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network -- by stealing credentials or connecting an infected laptop or USB, for example -- they have almost free reign to connect to any control device they choose and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid."

Researchers at Dragos criticized the attribution to Iran because they believe the information available in this phase of the investigation is not enough to attribute the attack to a specific state.

"Firms, like the one linked above, either seem not to understand or not care how dangerous it can be to tie national attribution to ICS targeted cases. The attribution to Iran on this is very premature and in our analysis highly inappropriate given a lot of details," reads a Tweet posted by the company.

Iranian hackers are becoming even more aggressive, but experts always highlighted that they are not particularly sophisticated.

In October, the OilRig gang was spotted using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

In February, researchers at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East.

The espionage campaign dubbed Magic Hound dates back at least mid-2016. Hackers targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia.

Iran was responsible for destructive attacks on Saudi Aramco systems in 2012, and now CyberX is attributing the Triton malware to the Government of Teheran.


Despite a large number of infections reported for ICS systems across the years, at the time experts only detected four pieces of ICS tailored malware; StuxnetHavexBlackEnergy2, and CRASHOVERRIDE/Industroyer.

Triton is an important novelty in the threat landscape, its discovery is worrisome and confirms that threat actors are increasing their interest in ICS malware for sabotage purposes.

I personally believe that the attack is linked to a nation-state actor, but it is quite impossible to attribute it without further evidence.

As explained in the report published by Dragos experts, although the attack is not highly scalable, other adversaries can adopt a similar TTP to target SIS.

The incident represents an escalation in the type of attacks seen to date as the attack is specifically designed to target the safety function of the process.

If you are interested in Indicators of Compromise (IoC) or Yara Rules, look at the FireEye, and Dragos reports.


Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.