Hackers Behind 'Triton' Malware Attack Expand Targets

The threat group responsible for the recently uncovered attack involving a piece of malware known as Triton, Trisis and HatMan is still active, targeting organizations worldwide and safety systems other than Schneider Electric’s Triconex. The actor, which industrial cybersecurity firm Dragos tracks as Xenotime, is believed to have been around since at least 2014, but its activities were only discovered in 2017 after it targeted a critical infrastructure organization in the Middle East. The attack that led to the cybersecurity industry uncovering Xenotime was reportedly aimed at an oil and gas plant in Saudi Arabia. It specifically targeted Schneider Electric’s Triconex safety instrumented systems (SIS) through a zero-day vulnerability. The targeted organization launched an investigation and called in FireEye's Mandiant after the SIS caused some industrial systems to unexpectedly shut down. Researchers believe the shutdown was caused by the attackers by accident. Dragos has also analyzed the initial Triton/Trisis incident and more recent attacks launched by Xenotime. The company says the group has targeted organizations globally, far outside the Middle East.