TRITON is a malware variant that targets Schneider Electric Triconex Safety Instrumented System (SIS) controllers. It was discovered in December 2017 by cybersecurity firm, Mandiant, a FireEye company, when they responded to a cyber incident at an undisclosed critical infrastructure organization. The firm determined that TRITON was designed specifically to interact with these SIS controllers and believe that the actor or group behind the attack may have been attempting to develop the capability to cause physical damage to the organization's equipment and cease operations.
BlackEnergy malware first appeared in 2007 as a DDoS tool and was traded among cybercriminals until, in 2010, a Russian hacking group known as the Sandworm Team – widely reported to have links to Russian Intelligence Service – began utilizing BlackEnergy2 (BE2) to conduct espionage against industrial control system networks. The malware is highly modular, meaning it consists of many different components which serve different functions and not all functionality is delivered to all victims.