TRITON: The Malware That Could Have Killed Hundreds

In December 2017, a Middle Eastern oil and gas petrochemical plant was attacked by malware named TRITON, also known as TRISIS or HatMan. It targeted the plant’s Safety Instrumented System that is a part of Industrial Control Systems.


Industrial Control Systems (ICS) are computer-based devices that are used by engineers to monitor and keep different variables under control. These autonomous devices are used in industries that create products via applying continuous series of processes to raw materials such as electric generating, oil refining and chemical processing.

Safety Instrumented Systems (SIS) are being used to monitor variables but they are not intended for controlling the production process. They trigger alarms and overriding signals to protect people, the plant and the environment when a monitored process goes beyond the allowed level within the operational limits.

Factory designed by Macrovector

Designed by Macrovector

These systems are used in oil and gas plants, nuclear energy facilities, water treatment facilities and more. Thus, incidents such as hardware failure, fire and explosions are prevented, and the producing continues without catastrophic results.

Seriousness Of This Attack 

Unlike other cyber-attacks, this attack was very critical. The purpose was more than stealing information or causing disruption; it was supposed to create catastrophic incident by disabling the Safety Instrumented System. Due to seriousness of the industrial attack an in-depth analysis was performed.

The Attack Pattern

According to the analysis, the malware targeted Schneider Electric’s Triconex products that are known as SIS. It was written very well. The malware’s intent was to install Remote Access Trojan (RAT), which was designed to give the attackers read write execute over the Safety Instrumented System in RUN/Remote mode, access to all regions of memory, access to control logic and access to firmware.

It was written specifically for the model and firmware version of the targeted SIS – Tricon 3008 v10.3. The malware required to have access to the SIS network locally or remotely and a computer to load the malware onto Tricon.

In this incident, the TriStation terminal, which is a software application for developing, testing, and documenting safety-critical and process-control applications that execute on Triconex controllers, was used to launch the attack. Furthermore, the key switch that is located on the front panel of the product must be switched to Program Mode. Thus, the switch would not protect the memory from being written anymore and Tricon would get infected.

What Was Their Plan?

Apparently, the hackers wanted to manipulate layers of shutdown protocols to keep the system running while they reach deeper to gain more control. Despite being well written, the malware accidently triggered the emergency protocol and the system was shut down. This gave away the attack. Since the hackers could not deliver actual payload into system their true intentions are still unknown.


However, recently analysists found a clue that traced the malware to Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), which is in Moscow, Russia. According to analysists, the malware development activity supports TEMP.Veles activity, which includes testing multiple versions of malicious software and was used during the TRITON intrusion, very likely.

From the testing activity, analysts found independent ties to CNIIHM and a person, whose online activity shows significant connection to CNIIHM. TEMP. Veles used an IP address registered to CNIIHM to monitor open-source coverage of TRITON, network reconnaissance, and malicious activity for supporting TRITON intrusion. Behavior patterns of TEMP.Veles activity was consistent in the Moscow time zone.

Lastly, analysists think that CNIIHM has the required institutional knowledge and personnel to develop and TRITON and TEMP.Veles operations. Without specific evidence they could not prove the link between CNIIHM and TRITON but they have associated this capability with Russia.

The Wake Up Call      

This incident should serve as a vital wake up call in the industrial control and cyber security community. Therefore, strong protection is crucial today more than ever. Also, for businesses it is highly important to educate their employees about the importance of cyber security and all the risks that cyber world brings. There are numerous examples, where malware attacks occurred due to employees’ negligence. Having proper security systems along with employee awareness will work the best to maintain safe online experience.

Posted by Bülent Kızanlık

  1. Great article:)


    1. arnelahajdarevic Kasım 6, 2018 at 9:12 am

      Thank you!


Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir

This site uses Akismet to reduce spam. Learn how your comment data is processed.