TRITON malware threatens industrial machinery with physical damage

The new malware strain is capable of causing industrial IoT machinery to operate unsafely

The discovery of a new strain of malware capable of hacking industrial machinery has raised concerns that it could be used to shut down production lines and inflict physical damage to equipment.

The TRITON malware has been built for the purpose of attacking industrial hardware, specifically Triconex Safety Instrumented System (SIS) controllers, according to security researchers at FireEye, and has already been discovered targeting an organisation.

Production line SIS controllers are used to harvest the data generated by Internet of Things (IoT) factory machinery, such as industrial robots, sensors, valves and motors. The controllers act as an automated failsafe for equipment, ensuring that they operate within safe parameters and shutting down production lines if, for example, a machine becomes unstable.

It's thought that the authors of the malware designed it to allow remote access to an SIS, which can then be used to initiate an emergency shutdown on machinery, and were in the process of developing a way of causing physical damage to equipment.

Advertisement - Article continues below
Advertisement - Article continues below

"During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation," said the FireEye research team. "The investigation found that the SIS controllers initiated a safe shutdown when application code between redundant processing units failed a validation check - resulting in an MP diagnostic failure message."

"We assess with moderate confidence that the attacker inadvertently shut down operations while developing the ability to cause physical damage for the following reasons."

By infecting the SIS controller, it's believed the malware could reprogramme the parameters, forcing unsafe machinery to continue to operate, potentially causing physical damage to the equipment or even injury to human operators.

FireEye has yet to attribute this type of malware activity to any threat actor it currently tracks. However it believes with "moderate confidence" that the author has been sponsored by a nation state, particularly as there doesn't appear to be any monetary goal.

"The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences," said the FireEye team. "This is an attack objective not typically seen from cyber-crime groups."

However, these types of attacks on critical infrastructure are consistent with the tactics deployed by Russian, Iranian, North Korean, and Israeli state actors, according to FireEye, and are likely to be "preparation for a contingency plan" rather than an immediate attempt to disrupt a system.

Advertisement - Article continues below

TRITON's method of attack has historically only been seen in a handful of cases, including the Stuxnet malware, which was used to disrupt industrial machinery in Iran in 2010, and Industroyer, believed to be developed by the Russian-based Sandworm Team for use against Ukraine in 2016. In those cases, safety procedures were disabled on equipment, resulting in malfunctions and physical damage.

However, recent research by Symantec has warned that a new attack group known as Dragonfly has started to increase the number of its attacks against European and US industrial sectors.

Featured Resources

How inkjet can transform your business

Get more out of your business by investing in the right printing technology

Download now

Journey to a modern workplace with Office 365: which tools and when?

A guide to how Office 365 builds a modern workplace

Download now

Modernise and transform your sales organisation

Learn how a modernised sales process can drive your business

Download now

Your guide to managing cloud transformation risk

Realise the benefits. Mitigate the risks

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019

Best antivirus for Windows 10

3 Sep 2019

Most Popular


How to use Chromecast without Wi-Fi

5 Feb 2020
Microsoft Windows

Microsoft pulls disastrous Windows 10 security update

17 Feb 2020
operating systems

How to fix a stuck Windows 10 update

12 Feb 2020
Business operations

HP shareholders invited to come dine with Xerox

17 Feb 2020