More on the Triton Malware

FireEye is releasing much more information about the Triton malware that attacks critical infrastructure. It has been discovered in more places.

This is also a good -- but older -- article on Triton. We don't know who wrote it. Initial speculation was Iran; more recent speculation is Russia. Both are still speculations.

FireEye report. Boing Boing post.

Posted on April 16, 2019 at 6:10 AM • 7 Comments


Petre Peter April 16, 2019 8:54 AM

Stuxnet, Havex, BlackEnergy, CrashOverride, Triton are indeed examples of cyber-physical threats. Maybe even murderous malware .

Yabba Dabba Don'tApril 16, 2019 10:16 AM

Stuxnet, Havex, BlackEnergy, CrashOverride, Triton

initialized is:


which unscrambled is


Gotta be the NSA then.

Anon1April 16, 2019 3:31 PM

Funny, the first two times I read the text I couldn’t figure out why we didn’t know who wrote the older article.

RealFakeNewsApril 16, 2019 5:25 PM


Proving why grammar matters.


I think it likely that we actually know who is behind it, but all this "cloak and dagger" with code names, mystery, etc. is just playing politics.

Did anyone think: we did it?

Some GuyApril 16, 2019 10:05 PM

Attribution is difficult. It matters in overall situational awareness but not as much in identifying and addressing operational and technical vulnerabilities.

Stuxnet used by US/Israel against Iran nuclear sector

Shamoon used by likely Iran for espionage and to destroy Saudi Aramco network.
Havex likely developed by Russia and used against energy sector and defense.for espionage and potentially battlefield prep

BlackEnergy likely used by Russia in Ukraine Distribution attack - only used as one tool as the real attack was theft of VPN user IDs used to take control using legitimate means

CrashOverride likely used by Russia in Ukraine transmission attack

Triton/Trisys used by unknown against Mideast oil (Saudi Aramco??) likely as battlefield prep.

Attack vector
In every case but Stuxnet , the vector has been

Compromise of corporate networks via phishing or similar often using a supply chain victim/partner

Exapansion of Control and lateral movement in corporate net

Theft of credentials including OT credentials

Eespionage or corporate destruction (Shamoon)
Entry into control systems by legitimate means.

The attacks may have been made through supply chain business partners with a higher level of access either through cooperation or exploitation of business partners

To me, the lesson here is that there are too many vulnerabilities and one will always be available to attackers. It’s not the inbound traffic that matters as much as monitoring the outbound communication to detect the attack. Security by patching is necessary but not sufficient. Defensive measures that stop the commobly repeated patterns (the kill chain) is where defense needs to evolve. Monitoring of business partner communication is critical.

Clive RobinsonApril 17, 2019 6:54 AM

@ Some Guy,

In every case but Stuxnet , the vector has been...

It obviously works or they would have changed tactics...

Which kind of says a lot about not just the technical but human failings of information system security.

It makes you wonder if we have realy progressed from the days when people used to talk about the seesaw of "Usability-v-Security".

I know Gunner Peiterson from the One Drop blog used to say that nothing had moved forward since perimeter security with statefull firewalls.

Both of those ideas are a couple of decades old now...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.