This story is over 5 years old.


Researchers Find New Victim of Critical Infrastructure Hackers Behind 'Triton' Malware

A security firm has discovered a new victim of the infamous hacking group that targeted critical infrastructure with destructive malware.
Image: Cathryn Virginia

Security researchers say they have found a new victim of the hacking group behind the potentially destructive malware, which targets critical infrastructure, known as Triton or Trisis.

On Thursday, security firm FireEye revealed that it was hired to respond to a breach at an undisclosed critical infrastructure facility, and that the hackers were the same ones behind Triton, a type of malware that had previously hit the Saudi Arabian oil giant Petro Rabigh, as first reported by E&E News. In that breach, the hackers used the malware to manipulate industrial processes and inadvertently cause a process shutdown. Infrastructure security experts said that was the most dangerous malware attack in history, given the tangible risk of physical damage. FireEye believes a Russian government-linked research lab is responsible for developing Triton.


FireEye did not say who the new target was. This is a sometimes common practice in hacks that are disclosed by the firms hired to respond to them; security firms are often not allowed to disclose information about their clients. Critical infrastructure is a term used widely in the security world but often refers to power plants, water treatment facilities, power grids, and other high-profile facilities that provide important societal services.

“The actor leveraged dozens of custom and commodity intrusion tools to gain and maintain access to the target's IT and OT networks,” FireEye wrote in a report about the new Triton attack shared with Motherboard in advance, using the infosec jargon for Operational Technology, which are computer systems used to manage industrial operations. “The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation.”

Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at, or email

FireEye researchers believe the hackers behind Triton have been active since 2014, which likely means there are more than two victims out there, according to the company’s researchers.

In 2017, FireEye revealed that hackers using Triton had attempted to damage or cause destruction at a critical infrastructure facility in the Middle East. At the time, the researchers did not name the victim. But then, in March of this year, E&E News reported in a blockbuster investigation that the victim was Petro Rabigh.


“Two emergency shutdown systems sprang into action as darkness settled over the sprawling refinery along Saudi Arabia's Red Sea coast,” E&E News reporter Blake Sobczak wrote. “The systems brought part of the Petro Rabigh complex offline in a last-gasp effort to prevent a gas release and deadly explosion.”

It’s not known how much damage the hackers behind Triton made or attempted to make at this second victim facility.

FireEye concluded that critical infrastructure facilities need to use the information about the hackers, which FireEye shared, to check their own systems and hunt for the malware, “as we believe there is a good chance the threat actor was or is present in other target networks,” FireEye researchers wrote.

Correction: An earlier version of this story stated that the new victim FireEye had found was hit with Triton malware. In fact, FireEye did not find Triton malware, but traces of the hacking group behind Triton.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.