Triton Actor

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
The TRITON actor is a threat actor known for its malicious activities, specifically focused on gaining access to Operational Technology (OT) networks. Identified by cybersecurity firm FireEye, the actor's tactics, techniques, and procedures (TTPs) were first publicly detailed in 2017 when they deployed the TRITON/TRISIS malware framework. The actor was later linked to a Russian research institution and was named "TEMP.Veles" by FireEye. However, the terminology has since been revised, with FireEye referring to the group more ambiguously as the "TRITON actor." There has been some confusion surrounding the identity of the TRITON actor, with respected journalists conflating instances of TRITON malware identification with the activity of the TRITON actor. This distinction is important due to differences in evidence collection methods between cybersecurity firms. For instance, Dragos, another cybersecurity firm, has had more engagement with instances related to the TRITON actor, leading them to identify the group as "XENOTIME." In contrast, FireEye's data-centric approach requires more observations to define an Advanced Persistent Threat (APT). Since late 2018, FireEye has stepped back from using the term TEMP.Veles and instead refers to the entity cryptically as the "TRITON actor". Meanwhile, Dragos consistently refers to the group as XENOTIME based on identified behaviors. The TRITON actor is also known for its use of Thinstall for packaging malware and operating in favored directories for staging and executing files. Despite the varying nomenclature, the cybersecurity community agrees on the significant threat posed by this actor, particularly due to its focus on Industrial Control Systems (ICS), a relatively novel and under-explored area of cyber threats.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Trisis
1
TRISIS, also known as TRITON, is a particularly dangerous form of malware that targets safety instrumented systems (SIS) of industrial facilities. It was first identified in 2017 when it targeted a petrochemical facility in Saudi Arabia. The malware specifically attacked Triconex SIS controllers, wh
TRITON
1
Triton is a sophisticated malware that has been historically used to target the energy sector. It was notably used in 2017 by the Russian Central Scientific Research Institute of Chemistry and Mechanics (TsNIIkhM) to attack a Middle East petrochemical facility. The malware, also known as Trisis and
XENOTIME
1
XENOTIME is a threat actor group that has been active since late 2018, gaining notoriety for its malicious cyber activities. The group was initially referred to as TEMP.Veles by FireEye, but this terminology was later replaced with the more cryptic "TRITON actor". Meanwhile, cybersecurity firm Drago
TEMP.Veles
1
TEMP.Veles, a threat actor suspected of conducting malicious activities, has been linked to the Central Research Institute of Chemistry and Mechanics (CNIIHM) based in Moscow. The link is based on activity originating from an IP address registered to CNIIHM, which was used for various purposes such
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Dragos
Fireeye
Apt
Malware
Outlook
Ics
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Triton Actor Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
A XENOTIME to Remember: Veles in the Wild
MITRE
a year ago
TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping | Mandiant