Security researchers have uncovered a new attempted hack using Triton malware, which targets industrial equipment in an effort to cause physical damage to its targets.

Triton was first detected in 2017 when it was used to target the operations of a critical-infrastructure organization in the Middle East. A later report, which attributed Triton to Russia, noted that the malware targeted equipment sold by Schneider Electric SE that’s used in oil and gas facilities.

Triton is unique in that its attackers apparently aren’t interested in causing network damage or stealing data but instead in causing actual damage to equipment. That can include catastrophic failures that in a worst-case scenario could result in the loss of life as well.

The new attempted hack using Triton was detected by researchers at FireEye Inc. who said that they had uncovered an additional intrusion using the same malicious software against a different critical infrastructure site.

As with the previous case, the attack was primarily focused on the unnamed facility’s operational technology, that is systems that are used to manage and monitor physical processes and devices.

“They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information,” the researchers said. “Most of the attack tools they used were focused on network reconnaissance, lateral movement and maintaining presence in the target environment.”

Noting the complexity of Triton attacks, it was found that the attackers used both public and custom backdoors along with web shells and credential harvesting tools to avoiding antivirus detection and remain undiscovered.

Remarkably, the attackers were found to have been present in the targeted system for almost a year before gaining access to their final target, an engineering workstation where they attempted to deploy the Triton malware itself.

“This is very targeted malware that can have a significant impact,” Tim Erlin, vice president of product management and strategy at Tripwire Inc., told SiliconANGLE. “We’re not talking about the usual ransomware here. Triton is designed specifically to attack control systems.”

And those are highly specialized systems, he added. “Installing your standard anti-malware software isn’t the right solution,” he said. “The safety system engineers and vendors are the right source for defensive techniques.”

Photo: WClarke/Wikimedia Commons