TRITON

Malware updated 4 months ago (2024-05-04T19:58:35.497Z)

Download STIX

Preview STIX

Triton is a sophisticated malware that has been historically used to target the energy sector. It was notably used in 2017 by the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM) to attack a Middle East petrochemical facility. The malware, also known as Trisis and HatMan, is designed to exploit safety instrumented systems. Triton's development demonstrates a strong capability for custom tooling, with strategies, preferences, and conventions that reflect human oversight and planning. Despite its complexity, it remains a persistent threat, with the FBI issuing an advisory in March warning of renewed attacks using Triton. The Triton intrusion framework and associated tools are shrouded in mystery, reflecting the high level of expertise involved in its creation. Unlike other well-known malware like Stuxnet, Triton does not require extensive effort to analyze a specific device, making it more difficult to eradicate once installed. A vulnerability was identified in the NVIDIA Triton Inference Server for Linux and Windows (CVE-2023-31036), which when launched with a non-default command line option could be exploited by an attacker to cause a relative path traversal. This vulnerability highlights the ongoing challenges in managing AI workloads and infrastructure securely. Triton Global Services, Inc., unrelated to the malware, offers advanced artificial intelligence capabilities along with traditional security guard services and low voltage video surveillance solutions. Their integrated security solutions aim to protect clients' assets across various industries. They are currently coordinating with offices in Hayward and Sacramento to facilitate equipment replacement programs and further educate local agencies and school districts on compliance efforts.

Description last updated: 2024-04-01T22:16:04.501Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Trisis	4	TRISIS, also known as TRITON, is a particularly dangerous form of malware that targets safety instrumented systems (SIS) of industrial facilities. It was first identified in 2017 when it targeted a petrochemical facility in Saudi Arabia. The malware specifically attacked Triconex SIS controllers, wh

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Ics

Windows

Reconnaissance

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Stuxnet	Unspecified	4	Stuxnet, discovered in 2010, is one of the most notorious malware attacks in history, primarily targeting Windows systems, programming logic controllers (PLCs), and supervisory controls and data acquisition (SCADA) systems. The military-grade cyberweapon was co-developed by the United States and Isr
WannaCry	Unspecified	2	WannaCry is a type of malware, specifically ransomware, that gained notoriety in 2017 as one of the largest and most damaging cyber-attacks to date. The malicious software exploits vulnerabilities in computer systems to encrypt data, effectively holding it hostage until a ransom is paid. It primaril

Source Document References

Information about the TRITON Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	5 months ago	Sprawling Sellafield Nuclear Waste Site Prosecuted for Cybersecurity Failings
CERT-EU	6 months ago	Georgia Tech researchers warn of Stuxnet-style web-based PLC malware, redefining industrial cybersecurity threats - Industrial Cyber
CERT-EU	8 months ago	CVE-2023-31036 - Alert Detail - Security Database
CERT-EU	10 months ago	Russian hackers disrupted Ukrainian electrical grid last year
CERT-EU	10 months ago	Triton Global Services Chosen To Assist California Public Schools And Agencies With United States Government Security Camera Compliance Law
CERT-EU	a year ago	The Urgency for Robust Utility Cybersecurity
CERT-EU	a year ago	UK warns nuclear power plant operator of cybersecurity failings
CERT-EU	a year ago	Nozomi Networks Celebrates 10 Years of Innovation in OT and IoT Cybersecurity
CERT-EU	a year ago	Operation Behind Predator Mobile Spyware Is 'Industrial Scale'
CERT-EU	a year ago	Power Your Business with NVIDIA AI Enterprise 4.0 for Production-Ready Generative AI – GIXtools
DARKReading	a year ago	A Brief History of ICS-Tailored Attacks
CERT-EU	2 years ago	How to Advance ICS Cybersecurity: Implement Continuous Monitoring
CERT-EU	a year ago	A Complete Guide to ICS Security Assessment
CERT-EU	a year ago	Avenues of opportunity abound for Europe, the High North, and Indo-Pacific allies to counter adversaries
CERT-EU	a year ago	Rockwell Automation ControlLogix Flaws Expose ICS Devices to RCE & DoS Attacks
CERT-EU	a year ago	Australia news LIVE: PM dismisses Dutton’s call to cancel Voice; RBA governor to be named next month
MITRE	2 years ago	Four Russian Government Employees Charged in Two Historical Hacking
MITRE	2 years ago	TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping \| Mandiant
MITRE	2 years ago	A XENOTIME to Remember: Veles in the Wild
MITRE	2 years ago	TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers \| Mandiant