TRITON Attack Compromises Critical-Infrastructure Network | eWeek

TRITON Attack Targeted Critical Infrastructure, Security Firm Says

infrastructure security
Verfasst von
Robert Lemos
Robert Lemos
Dec 15, 2017
3 minute read
eWeek Inhalte und Produktempfehlungen sind redaktionell unabhängig. Wir können Geld verdienen, wenn Sie auf Links zu unseren Partnern klicken. Mehr erfahren

Online attackers infiltrated a critical-infrastructure network, compromising systems and deploying malware designed to manipulate a system that could have shut down industrial processes, security firm FireEye warned in an advisory published on Dec. 14.

FireEye did not identify the attacker or attribute the attack, which is dubbed TRITON, to any specific group, nor did it name the victim, but stated that evidence points to “a nation-state preparing for an attack.” The malware could have stopped the critical-infrastructure’s systems from properly responding, leading to real-world damages, the company warned.

“The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, U.S., and Israeli nation state actors,” FireEye researchers stated in their analysis. “Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”


Nation-states have become increasingly active in cyber operations. In 2010, the United States and Israeli hobbled Iran’s nuclear processing capability with the Stuxnet attack that caused damage to the critical centrifuges used in uranium processing. In 2016, attackers—thought to be Russian—caused a power outage in Ukraine, turning off the lights to nearly a quarter million people.

FireEye did not identify any nation-state as the likely aggressor, but said the company was moderately confident that the attacker is a government-sponsored group. “The targeting of critical infrastructure as well as the attacker’s persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor,” the company said.

Other security firms believe the target of the attack to be a Saudi Arabian firm, and the attackers to be Iranian. In 2012, the Shamoon attack—widely credited to Iran—infected systems at petroleum giant Saudi Aramco, and this attack seems to be a continuation of the online conflict, cyber-security expert Phil Neray of CyberX said in a statement.

“We have information that points to Saudi Arabia as the likely target of this attack, which would indicate Iran as the likely attacker,” he said. “This would definitely be an escalation of that threat because now we’re talking about critical infrastructure—but it’s also a logical next step for the adversary.”

The TRITON malware can communicate with a proprietary industrial controller network known as the Triconex Safety Instrumented System (SIS). The attacker behind the malware camouflaged it as a program for the company’s application suite. Once the system was compromised, the attacker did not immediately try to damage the network, but instead appeared to try to develop new capabilities, including the ability to do physical damage using the malware, FireEye stated.

“We base this on the fact that the attacker initially obtained a reliable foothold on the DCS [distributed control system] and could have developed the capability to manipulate the process or shutdown the plant, but instead proceeded to compromise the SIS system,” the researchers stated. “Compromising both the DCS and SIS system would enable the attacker to develop and carry out an attack that causes the maximum amount of damage allowed by the physical and mechanical safeguards in place.”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Eigentum von TechnologyAdvice. © 2026 TechnologyAdvice. Alle Rechte vorbehalten

Werbetreibenden-Offenlegung: Einige der auf dieser Website erscheinenden Produkte stammen von Unternehmen, von denen TechnologyAdvice eine Vergütung erhält. Diese Vergütung kann beeinflussen, wie und wo Produkte auf dieser Website erscheinen, einschließlich beispielsweise der Reihenfolge, in der sie erscheinen. TechnologyAdvice schließt nicht alle Unternehmen oder alle auf dem Marktplatz verfügbaren Produkttypen ein.