Public Release of Triton ICS Trojan File Creates Additional Threat to Critical Infrastructure

As reported by the NJCCIC in December, researchers disclosed details about a trojan, dubbed “Triton” or “Trisis,” designed to target industrial control systems (ICS) – only the fifth known malware of its kind. Recently, however, researchers discovered that a file containing pertinent data on the trojan’s framework had been mistakenly uploaded to the public malware repository VirusTotal on December 22, 2017. Though it was removed from the repository less than 24 hours later, the file was quickly copied and has since been uploaded to various other public sites, including GitHub. A threat actor could use this file, along with other publicly available artifacts, to reconstruct the trojan. Triton was likely created by a nation-state actor or group and is designed to manipulate Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers used in ICS at nuclear power plants, oil and gas facilities, and paper mills. Successful exploitation of these controllers could cause the SIS to malfunction, disrupting operations and possibly resulting in physical damage. The NJCCIC recommends administrators of the targeted Triconex controllers review the NJCCIC threat profile, the Cyberscoop article, the NCCIC’s Malware Analysis Reportand the FireEye report and apply the provided recommendations to reduce the cyber risk posed by this threat to their ICS environment.