3 min Security

Lethal killer malware code Triton expands worldwide

Lethal killer malware code Triton expands worldwide

The fraudulent killer malware code called Triton can disable security systems that prevent catastrophic industrial accidents. The code, designed to intentionally endanger human lives, was discovered in 2017 at a petrochemical plant in Saudi Arabia. The hackers behind Triton would now focus on North America and other parts of the world, according to MIT Technology Review.

According to Australian security specialist Julian Gutmanis, who discovered the life-threatening malware, it seems that the hackers have already ended up in the IT network of the petrochemical company in 2014. For tactical and safety reasons, the name of the company is deliberately not released.

From there they eventually found their way to the factory’s own network. Gutmanis most likely suspects a hole in a poorly configured digital firewall, which had to stop unauthorized access.


The hackers then managed to access an engineering workstation, either by exploiting an unpatched flaw in the Windows code or by intercepting an employee’s login details. The hackers could get to know the brand and model of the hardware controllers of the systems. The workstation communicated with the factory’s safety instrument systems. The hackers also knew the versions of the firmware software embedded in the memory of a device and how it communicates.

Schneider Electric previously confirmed that the Triton malware was using a zeroday leak in the company’s Triconex Tricon firmware. The malware was able to modify the so-called Triconex Safety Instrumented System (SIS) controllers. A SIS is often described as an autonomous control system, which independently monitors the status of the processes.


Gutmanis initially regarded Triton as Iran’s work, as Saudi Arabia and Iran are arch-enemies. However, according to the cyber security company FireEye, which was involved in the Triton investigation quite early on, there are indications of Russian involvement. For example, several names have been discovered in Cyrillic characters and an IP address has been found that is in the name of the Central Scientific Research Institute of Chemistry and Mechanics in Moscow. In addition, there would also be evidence of the involvement of one of the professors of this institute.

Dan Coats, director of the U.S. National Intelligence Service, warned last year of the increasing danger of a crippling cyber attack on critical U.S. infrastructure. At the time, it outlined a parallel with the increased cyber chat sessions that American intelligence services discovered among terrorist groups before the attack on the World Trade Center in 2001. Almost two decades have passed and the red warning lights are flashing again. Nowadays, the digital infrastructure that serves this country is literally being attacked.

Industrial IoT

The development of killer malware codes such as Triton coincides with the rise of the so-called industrial Internet of Things. This connectivity allows employees to remotely monitor equipment and quickly collect data, allowing them to work more efficiently. But it also gives hackers more potential goals. Something potentially very dangerous.

What if hackers accidentally introduced the bug and instead of causing a safe shutdown, disable the installation’s security systems just when a human error or other error fails one of the critical processes at the plant? This can lead to catastrophic consequences, even if the hackers don’t mean it that way.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.