The Triton malware was identified 16 months ago by investigators from Fireeye: it targets Triconex control systems and was linked by Fireeye at Moscow into the Central Scientific Research Institute of Chemistry and Mechanics.


Now, Fireeye has published a report on another instance of Triton being used in the area, this opportunity to assault the safety instrumented systems (SIS) that use hardware and software to stop power plants, refineries, and other large setups from bursting, venting toxic material, catching fire, etc..


The second example shows that Triton strikes have been in the works since at least 2014, also surfaced a comprehensive toolsuite that provides more insight into just how Triton’s operators operate.


The very frightening this about this is SIS targeting: that is the kind of thing which doesn’t just shut plants down — it leaves them permanently inoperable, and possibly kills some or all the folks inside them and near them.


The SIS strikes are a logical progression on Stuxnet along with the Russian “sandworm strikes” that got out of control and failed $10B harm in 2018.

We know the first incident wasn’t isolated. There are others. That’s especially disconcerting given the danger associated. We’re at a loss for explaining the rationale here or whether this can be tied to some other nation who might be contracting out together with the 38, though we have tracked this back into the Russian institute.


We’re releasing the resources and other information on this particular actor from the hopes that others will find them and we shall all get a better grip on this emerging and disconcerting threat celebrity. We understand there is some risk that the celebrity may visit ground. That may have occurred. Safety measures were taken by the institute after we published the site in this case on attribution. They shot a number of the info on their site down and changed their WHOIS.

Hopefully, this can be a first step in a hunt for this actor that contributes to a few replies.