TRITON

Malware updated a month ago (2024-10-15T10:01:41.842Z)

Download STIX

Preview STIX

Triton is a type of malware, specifically designed to exploit and damage computer systems. It was first used in a cyberattack on a Middle East petrochemical facility in 2017, attributed to the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM). The malware targets safety instrumented systems, particularly within the energy sector. Triton's developers demonstrated a strong capability for custom tooling, as the malware framework and intrusion tools were built and deployed by humans with observable strategies, preferences, and conventions. These attacks are not common but have occurred on rare occasions, such as the 2017 incident. The use of Triton malware resurfaced in March 2022 when the FBI issued an advisory warning about its deployment against the energy sector. Unlike other complex OT-specific malware like Stuxnet, Triton requires less effort to analyze a particular device, making it harder to eliminate. Furthermore, Triton has been associated with a vulnerability in the NVIDIA Triton Inference Server for Linux and Windows, where an attacker may cause a relative path traversal when it is launched with the non-default command line option --model-control explicit. This vulnerability, CVE-2023-31036, was first published by the vendor in January 2024. Triton Global Services, Inc., unrelated to the malware, offers traditional security guard services, low voltage video surveillance solutions, and cutting-edge technologies that integrate advanced AI capabilities via the Remote Guarding Division. They are committed to protecting clients' assets by combining advanced technologies with a highly trained team. As a leader in integrated security solutions, they deliver comprehensive security for businesses across a wide range of industries. California state and local agencies can contact Triton Global Services directly for assistance via their website.

Description last updated: 2024-10-15T09:23:26.311Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Trisis is a possible alias for TRITON. TRISIS, also known as TRITON, is a particularly dangerous form of malware that targets safety instrumented systems (SIS) of industrial facilities. It was first identified in 2017 when it targeted a petrochemical facility in Saudi Arabia. The malware specifically attacked Triconex SIS controllers, wh	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ics

Windows

Reconnaissance

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Stuxnet Malware is associated with TRITON. Stuxnet, discovered in 2010, is one of the most infamous malware attacks in history. It was a military-grade cyberweapon co-developed by the United States and Israel, specifically targeting Iran's nuclear enrichment facility at Natanz. The Stuxnet worm infiltrated Windows systems, programming logic	Unspecified	4
The WannaCry Malware is associated with TRITON. WannaCry is a type of malware, specifically ransomware, that made headlines in 2017 as one of the most devastating cyberattacks in recent history. The WannaCry ransomware exploited vulnerabilities in Windows' Server Message Block protocol (SMBv1), specifically CVE-2017-0144, CVE-2017-0145, and CVE-2	Unspecified	2

Source Document References

Information about the TRITON Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	8 months ago	Sprawling Sellafield Nuclear Waste Site Prosecuted for Cybersecurity Failings
CERT-EU	9 months ago	Georgia Tech researchers warn of Stuxnet-style web-based PLC malware, redefining industrial cybersecurity threats - Industrial Cyber
CERT-EU	10 months ago	CVE-2023-31036 - Alert Detail - Security Database
CERT-EU	a year ago	Russian hackers disrupted Ukrainian electrical grid last year
CERT-EU	a year ago	Triton Global Services Chosen To Assist California Public Schools And Agencies With United States Government Security Camera Compliance Law
CERT-EU	a year ago	The Urgency for Robust Utility Cybersecurity
CERT-EU	a year ago	UK warns nuclear power plant operator of cybersecurity failings
CERT-EU	a year ago	Nozomi Networks Celebrates 10 Years of Innovation in OT and IoT Cybersecurity
CERT-EU	a year ago	Operation Behind Predator Mobile Spyware Is 'Industrial Scale'
CERT-EU	a year ago	Power Your Business with NVIDIA AI Enterprise 4.0 for Production-Ready Generative AI – GIXtools
DARKReading	a year ago	A Brief History of ICS-Tailored Attacks
CERT-EU	2 years ago	How to Advance ICS Cybersecurity: Implement Continuous Monitoring
CERT-EU	a year ago	A Complete Guide to ICS Security Assessment
CERT-EU	a year ago	Avenues of opportunity abound for Europe, the High North, and Indo-Pacific allies to counter adversaries
CERT-EU	a year ago	Rockwell Automation ControlLogix Flaws Expose ICS Devices to RCE & DoS Attacks
CERT-EU	a year ago	Australia news LIVE: PM dismisses Dutton’s call to cancel Voice; RBA governor to be named next month
MITRE	2 years ago	Four Russian Government Employees Charged in Two Historical Hacking
MITRE	2 years ago	TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping \| Mandiant
MITRE	2 years ago	A XENOTIME to Remember: Veles in the Wild
MITRE	2 years ago	TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers \| Mandiant