A New Security Risk for ICS Controllers: Triton Malware Explained

Over the past few years, we’ve started to see malware specifically developed to target industrial control systems (ICS). Among the most notable of recent culprits are BlackEnergy, Industroyer and Triton. FireEye was the first security firm responding to the Triton incident, and recently published more information about the Triton Threat Actor TTP profile which we will review in this article. 

The Triton Malware 

On April 10, 2019, FireEye confirmed that they were “responding to an additional intrusion by the attacker behind Triton at a different critical infrastructure facility,” following an earlier report from December of 2017.  

As an attack framework built to interact with the Triconex Safety Instrumented System controllers (SIS), Triton was designed and deployed to manipulate industrial safety systems; specifically, it aimed at systems with the privilege to issue emergency shutdowns over industrial processes. 

The malware consisted of two main modules documented by FireEye: trilog.exe and library.zip. Trilog.exe was the main executable that utilized the library.zip, which comprised a custom communication library used to interact with the Triconex controllers.  

Courtesy: FireEye 

Anatomy of the Attack 

Lateral Movement  

The attackers were able to gain access to the network’s ICS layer by moving laterally through the IT network. While moving laterally, they were able to achieve what FireEye calls “prolonged and persistent access to the target environment.” The Threat Actors created custom tools to mirror the functionality of open source commodity tools, allowing Triton to masquerade as a legitimate application and thereby evade anti-virus measures or detection. It seems, however, that this method was only employed during critical phases of the attack, or when evading detection was absolutely necessary. 

While moving through the target network, the threat actors utilized many techniques to hide their activities such as:  

  • Renaming their files to appear legitimate 
  • Utilizing native Microsoft Windows tools like RDP and WinRM 
  • Modifying timestamps of their files to blend in with the copious number of files in their payload directories 

This offered a further layer of protection rendering security measures completely ineffective. 


According to FireEye, the Threat Actors maintained a persistent presence on the target networks since 2014 at the latest. The actors demonstrated an interest in the OT network and spent time researching, developing, and weaponizing OT assets for their own purposes. Apparently, custom tools were used to maintain this persistent state, hearkening back to the methods used for lateral movement and evasion of detection. 

Asset Owners Need to Prepare 

ICS-targeted attacks have gained a discouragingly high profile in recent years. The IT and OT convergence has already happened, and in response, diligent asset owners must prepare for malware threatening both their IT and OT networks. 

Blackenergy affected human machine interfaces (HMIs), Industroyer manipulated remote terminal units (RTUs) and Triton affected programmable logic controllers (PLCs), showing vulnerabilities at every level of the ICS stack. If threat actors are learning from each other, it seems that – between these three attacks – they have developed a comprehensive understanding of OT networks. 

Asset owners can prepare by doing routine assessments and audits of their IT and OT networks. Performing Red Team exercises, a more targeted assessment than a penetration test, could also help Asset Owners understand possible methods of evasion and how to detect them.  

It is important to note that Triton did not adhere to the MITRE ATT&CK framework. Not all threat actors follow this framework, but we utilize it to help build asset owners defenses. Once comfortable, we utilize non-framework techniques to test asset owners’ defensive capabilities against threat actors.  

Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.

Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!