TRITON

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Triton is a sophisticated malware that has been historically used to target the energy sector. It was notably used in 2017 by the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM) to attack a Middle East petrochemical facility. The malware, also known as Trisis and HatMan, is designed to exploit safety instrumented systems. Triton's development demonstrates a strong capability for custom tooling, with strategies, preferences, and conventions that reflect human oversight and planning. Despite its complexity, it remains a persistent threat, with the FBI issuing an advisory in March warning of renewed attacks using Triton. The Triton intrusion framework and associated tools are shrouded in mystery, reflecting the high level of expertise involved in its creation. Unlike other well-known malware like Stuxnet, Triton does not require extensive effort to analyze a specific device, making it more difficult to eradicate once installed. A vulnerability was identified in the NVIDIA Triton Inference Server for Linux and Windows (CVE-2023-31036), which when launched with a non-default command line option could be exploited by an attacker to cause a relative path traversal. This vulnerability highlights the ongoing challenges in managing AI workloads and infrastructure securely. Triton Global Services, Inc., unrelated to the malware, offers advanced artificial intelligence capabilities along with traditional security guard services and low voltage video surveillance solutions. Their integrated security solutions aim to protect clients' assets across various industries. They are currently coordinating with offices in Hayward and Sacramento to facilitate equipment replacement programs and further educate local agencies and school districts on compliance efforts.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Trisis
4
TRISIS, also known as TRITON, is a particularly dangerous form of malware that targets safety instrumented systems (SIS) of industrial facilities. It was first identified in 2017 when it targeted a petrochemical facility in Saudi Arabia. The malware specifically attacked Triconex SIS controllers, wh
Triton Actor
1
The TRITON actor is a threat actor known for its malicious activities, specifically focused on gaining access to Operational Technology (OT) networks. Identified by cybersecurity firm FireEye, the actor's tactics, techniques, and procedures (TTPs) were first publicly detailed in 2017 when they deplo
Hatman
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ics
Windows
Payload
Reconnaissance
Ransomware
Industrial
Trojan
Outlook
Lateral Move...
Russia
Kubernetes
Intellexa
Spyware
Traversal
Linux
Android
russian
Minecraft
Dragos
Fireeye
Apt
Backdoor
Worm
Vulnerability
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
StuxnetUnspecified
4
Stuxnet is a notorious malware, known for its role in one of history's most infamous Advanced Persistent Threat (APT) attacks. Co-developed by the United States and Israel, this military-grade cyberweapon was specifically designed to target Iran's nuclear enrichment facility at Natanz in 2010. The S
WannaCryUnspecified
2
WannaCry is a notorious malware that was responsible for one of the largest ransomware attacks in history, occurring in 2017. This malicious software, designed to exploit and damage computer systems, infiltrated networks worldwide through suspicious downloads, emails, or websites. Once inside a syst
IndustroyerUnspecified
1
Industroyer, also known as CrashOverride, is a potent malware specifically designed to target Industrial Control Systems (ICS) used in electrical substations. It first gained notoriety for its role in the 2016 cyberattack on Ukraine's power grid, which resulted in a six-hour blackout in Kyiv. The ma
BlackEnergyUnspecified
1
BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a
NotPetyaUnspecified
1
NotPetya is a notorious malware that was unleashed in 2017, primarily targeting Ukraine but eventually impacting systems worldwide. This malicious software, which initially appeared to be ransomware, was later revealed to be data destructive malware, causing widespread disruption rather than seeking
LockerGogaUnspecified
1
LockerGoga is a type of malware, specifically ransomware, known for its disruptive capabilities. It was notably deployed at Norsk Hydro in March 2019, causing significant operational disruption. LockerGoga differentiates itself from other types of ransomware such as EKANS due to its destructive natu
RyukUnspecified
1
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Predator SpywareUnspecified
1
Predator Spyware is a type of malware, or malicious software, that has recently been identified as a significant threat to digital security. This harmful program infiltrates devices without the user's knowledge, often through suspicious downloads, emails, or websites. Once installed, it can steal pe
PredatorUnspecified
1
Predator is a potent malware that, along with NSO Group's Pegasus, remains a leading provider of mercenary spyware. Despite public disclosures in September 2023, Predator's operators have continued their operations with minimal changes, exploiting recently patched zero-day vulnerabilities in Apple a
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
XENOTIMEUnspecified
1
XENOTIME is a threat actor group that has been active since late 2018, gaining notoriety for its malicious cyber activities. The group was initially referred to as TEMP.Veles by FireEye, but this terminology was later replaced with the more cryptic "TRITON actor". Meanwhile, cybersecurity firm Drago
TEMP.VelesUnspecified
1
TEMP.Veles, a threat actor suspected of conducting malicious activities, has been linked to the Central Research Institute of Chemistry and Mechanics (CNIIHM) based in Moscow. The link is based on activity originating from an IP address registered to CNIIHM, which was used for various purposes such
SandwormUnspecified
1
Sandworm, a threat actor linked to Russia, is known for its malicious cyber activities. These actions have been characterized by significant breaches and disruptions, primarily targeting Ukrainian entities. This group has demonstrated advanced capabilities, including the use of fileless attacks as d
Sandworm TeamUnspecified
1
The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy"
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-31036Unspecified
1
None
Source Document References
Information about the TRITON Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
DARKReading
3 months ago
Sprawling Sellafield Nuclear Waste Site Prosecuted for Cybersecurity Failings
CERT-EU
4 months ago
Georgia Tech researchers warn of Stuxnet-style web-based PLC malware, redefining industrial cybersecurity threats - Industrial Cyber
CERT-EU
6 months ago
CVE-2023-31036 - Alert Detail - Security Database
CERT-EU
8 months ago
Russian hackers disrupted Ukrainian electrical grid last year
CERT-EU
8 months ago
Triton Global Services Chosen To Assist California Public Schools And Agencies With United States Government Security Camera Compliance Law
CERT-EU
9 months ago
The Urgency for Robust Utility Cybersecurity
CERT-EU
9 months ago
UK warns nuclear power plant operator of cybersecurity failings
CERT-EU
9 months ago
Nozomi Networks Celebrates 10 Years of Innovation in OT and IoT Cybersecurity
CERT-EU
9 months ago
Operation Behind Predator Mobile Spyware Is 'Industrial Scale'
CERT-EU
10 months ago
Power Your Business with NVIDIA AI Enterprise 4.0 for Production-Ready Generative AI – GIXtools
DARKReading
10 months ago
A Brief History of ICS-Tailored Attacks
CERT-EU
a year ago
How to Advance ICS Cybersecurity: Implement Continuous Monitoring
CERT-EU
a year ago
A Complete Guide to ICS Security Assessment
CERT-EU
a year ago
Avenues of opportunity abound for Europe, the High North, and Indo-Pacific allies to counter adversaries
CERT-EU
a year ago
Rockwell Automation ControlLogix Flaws Expose ICS Devices to RCE & DoS Attacks
CERT-EU
a year ago
Australia news LIVE: PM dismisses Dutton’s call to cancel Voice; RBA governor to be named next month
MITRE
a year ago
Four Russian Government Employees Charged in Two Historical Hacking
MITRE
a year ago
TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping | Mandiant
MITRE
a year ago
A XENOTIME to Remember: Veles in the Wild
MITRE
a year ago
TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers | Mandiant