An anonymous reader quotes a report from Ars Technica: Sixteen months ago, scientists reported that an escalation that is unsettling from hacks targeting other types of infrastructure, gas refineries, and power plants. Attackers who may have been working on behalf of a state caused an outage that was operational at a critical-infrastructure website after targeting a system that prevented health- and life threatening injuries. What was unprecedented during this assault — and of considerable concern to infrastructure operators and some researchers — was the use of an advanced piece of malware that targeted the anonymous site’s security processes. Since it targeted the Triconex product lineup the malware was called Trisis and Triton. Its development was connected to some Russian research institute.
Researchers at FireEye — the same security company that discovered its ties and Triton to Russia — say they have discovered an extra intrusion which used exactly the identical malicious software framework against a critical infrastructure website. As had been the case from the very first intrusion, the attackers focused most of their resources on the OT, or technology, which are systems for tracking and managing devices and physical processes of the facility. The discovery has unearthed a new set of custom made tools that were never-before-seen that shows the attackers are operational since early as 2014. The existence of the tools, along with the attackers’ shown interest in security, direct FireEye researchers to think there may be other websites beyond the two already known where the Triton attackers still are present or were. “After establishing an initial foothold on the corporate network, the Triton celebrity focused almost all of their effort on gaining access to the OT system,” FireEye researchers wrote in a report published Wednesday. “They didn’t exhibit activities commonly associated with espionage, such as utilizing key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were concentrated on community reconnaissance, lateral movement, and maintaining presence in the target environment.”