Why Triton is the World’s Most Dangerous Malware

Person typing on a laptop computer.

Hackers have come up with a new way to cause damage to oil, gas and other infrastructure businesses.

TRITON malware came to the world’s awareness in late 2018, with the first known attack coming in Saudi Arabia in 2017. This dangerous malware, also known as Trisis, targets safety systems of petrochemical and other plants in an attempt to cause these systems to shut down and cause dangerous accidents.

The initial 2017 attack was not successful because the way the code was written triggered a response from a different safety system and shut the petrochemical plant down before any harm could be done. If that safety system had not been triggered, however, the hackers would have gotten access to the plant’s controls after bypassing the main safety controls. This could have caused the plant to malfunction and put workers’ lives and the lives of those in nearby areas at risk.

By allowing hackers to control safety systems remotely, TRITON becomes almost a terrorist weapon—one that can be wielded to cause maximum chaos and damage without putting a single hacker’s life at risk. TRITON’s potential for harm could extend to almost any kind of facility that has a safety system, including nuclear facilities, water treatment plants, or others whose shutdown could create difficult or harmful conditions for people in the area.

Fish hook on a padlock.

Teaching employees how to avoid phishing schemes can help prevent some cyber attacks.

How Does TRITON Work?

The TRITON malware in the 2017 attack was thought to have been a phishing attack, which means that an employee at the Saudi plant clicked on a malicious link that allowed hackers to get access to the system. Phishing attacks are common, but can be prevented if employees are taught never to click on a link in an email unless they can verify the source.

TRITON attacks target a particular safety system called the Triconex safety controller model, made by Schneider Electric, a French company. Triconex has been used for oil and gas plants for the last 30 years, and also for some manufacturing and nuclear facilities. While not all such facilities use Triconex, enough use it to cause worry about TRITON’s capabilities.

The end result of a TRITON hack could be a chemical or gas leak, which could lead to an explosion in some cases. These dangerous conditions may cause serious injuries and deaths to those close to or inside the plant like workers and those who travel or work in areas close to the plant.

Dragos, a cybersecurity company that has tracked TRITON in several attacks, reported recently that the hackers behind TRITON are already looking beyond the Middle East at North American targets for their hacking efforts. While the malware originated in the Middle East and was initially thought to have come from that location, cybersecurity specialists now suspect that Russia is behind the attack because of evidence found when backtracing the code.

PC AGE offers training in IT certifications including those dealing with cybersecurity like the Certified Ethical Hacker certification. Contact us for information about our courses, and you could be investigating cyber crimes in just a few months or earning credits toward a more advanced degree.