Triton: What You Need to Know

Correction: An earlier version of this post identified the protocol used as the TSAA protocol. This malware uses the TriStation protocol, which is proprietary and undocumented. Thanks to Jimmy Wylie for the correction. What is Triton? Triton is a new malware framework targeting safety systems monitoring SCADA networks. It’s designed to run from within a compromised network, allowing the attacker to observe and control Triconex Safety Instrumented System (SIS) devices. It has been reported that the attackers copied a malicious file (trilog.exe) onto a management workstation, a Windows PC, and used that vantage point to attempt to write new firmware to the memory of SIS devices. Device firmware is designed to be updated remotely. A physical key on the front of the device allows the user to switch between a PROGRAM mode, where modifications are allowed, and others, such as read-only RUN. The attackers used this capability as designed and relied on users to have left the device in PROGRAM mode. Although Triton did not leverage any vulnerabilities, Nessus can identify the early stages of the attack. Which devices were attacked by Triton? Triton attacked Triconex Main Processors, model 3008. These safety monitoring systems were approved for use by the United...
Read more

Triton: What You Need to Know

What is Triton? Triton is a new malware framework targeting safety systems monitoring SCADA networks. It’s designed to run from within a compromised network, allowing the attacker to observe and control Triconex Safety Instrumented System (SIS) devices. The attackers copied a malicious file (trilog.exe) onto a management workstation, a Windows PC, and used that vantage point to attempt to write new firmware to the memory of SIS devices. Device firmware is designed to be updated remotely. A physical key on the front of the device allows the user to switch between a PROGRAM mode, where modifications are allowed, and others, such as read-only RUN. The attackers used this capability as designed and relied on users to have left the device in PROGRAM mode. Although Triton did not leverage any vulnerabilities, Nessus can identify the early stages of the attack. Which devices were attacked by Triton? Triton attacked Triconex Main Processors, model 3008. These safety monitoring systems were approved for use by the United States Nuclear Regulatory Commission in 2012. What’s the impact? If successful, this attack could have run arbitrary code on critical safety monitoring systems, concealing or causing physical damage to monitored systems. Did the attackers need to reverse engineer the devices? The attackers didn’t...
Read more