TRITON/TRISIS Malware attack against Triconex Safety System in Middle East Petrochemical Facility

In August 2017 the XENOTIME intrusion set compromised a Triconex Safety Instrumented System (SIS) engineering workstation. According to reporting from Dragos and FireEye (Mandiant), the attacker used the TRITON/TRISIS malware to reprogram SIS controllers, causing some to enter a failed safe state and automatically initiate a shutdown of the industrial process.

The US government subsequently linked the attack to the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM).

www.mandiant.com

https://www.mandiant.com/resources/blog/attackers-deploy-new-ics-attack-framework-triton

www.theguardian.com

https://www.theguardian.com/technology/2017/dec/15/triton-hackers-malware-attack-safety-systems-energy-plant

www.dragos.com

https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf

home.treasury.gov

https://home.treasury.gov/news/press-releases/sm1162

www.mandiant.com

https://www.mandiant.com/resources/blog/triton-attribution-russian-government-owned-lab-most-likely-built-tools

i.blackhat.com

https://i.blackhat.com/us-18/Wed-August-8/us-18-Carcano-TRITON-How-It-Disrupted-Safety-Systems-And-Changed-The-Threat-Landscape-Of-Industrial-Control-Systems-Forever-wp.pdf