A Triton Malware attack on this ICS is not just an attack on the system it is an attack on the said industry as well as an attack on the country.

Industries are an important part of any country. What is the control sector of these industries made up of? It is made of Industrial control systems (ICS).

This ICS is everywhere from the air conditioning system of the building to the machines manufacturing the product in the industry.

This Triton Malware attack can not only be a system hack causing monetarily damage it can also cause the loss of human life if the system which is being attacked is responsible for human lives.

In the past, there had been many attacks on different industries, some causing monetary damage, some causing reputation loss, and some causing deaths.

Those attacks were responsibly handled by the people involved.

Since the years are passing by the technology is growing and so are these hackers.

2 to 3 years ago a malware damaging ICS was discovered, named as TRITON Malware as far today it is the deadliest of the ICS malware present in 2019 as it is not only targeting equipment involved in oil and gas installation.

But also the equipment in nuclear power plants or factories.

When something concerns nuclear power plants then it becomes a matter of national concern and should be dealt with firmly.

What is an ICS Attack?

An ICS attack mimics a normal computer hack in many ways.

First of all, it acknowledges and understands the system it is incorporated in then slowly it recognizes the exploitable weaklings of the system.

After an initial understanding of the system, the perpetrator will familiarize the system with software that can change its settings.

It can have variable effects on the system depending upon the nature of the system.


Some famous examples of the ICS attacks in the past are:

  • First ICS attack was in 1982 causing the explosion of a whole gas pipeline in Siberia
  • Ukrainian electricity grid system cyber-attack in 2017 causing the one-hour electricity down in the whole city.
  • The recent attack is TRITON Malware, which is most concerning of them all because of the nuclear nature of the industries it is attacking.

What is TRITON Malware?


Researchers from FireEye identified at the end of 2017 the TRITON Malware, also known as Crisis, member of a family of malware developed to compromise industrial control systems (ICS).

The discovery was possible after the registry of an attack in which the virus extinguished some machines of industry.

But the security system alerted to the operators that there was a fault, which derived in the failure of the action.

What it is Capable of?

Because there is no clear definition for what type of industrial facility or even in which country this sophisticated malware emerged.

Mandiant’s advanced practice team, the intelligence consultancy of the FireEye group, set out to carry out an in-depth investigation into the methodologies used to respond to an attack.

During this period, he discovered that the affected equipment is commonly used in oil and gas installations, as well as in nuclear power plants or factories.

In general terms, TRITON Malware is designed to change or even deactivate Triconex products, known as security systems (SIS), in the same way as distributed control systems, which are commanded by operators responsible for monitoring processes.

How was TRITON Malware Made?

The people responsible for threats behind the TRITON Malware structure used reverse engineering of a Triconex controller.

Reverse engineering is a deep study of the operation of a device with an analysis of its structure and operation.

From legitimate software, they learned their protocol and developed a malware adapted to that language.

The hackers’ knowledge of the TRITON Malware threat and his reverse engineering effort provides a better understanding of the protocol, from which a more complete image begins to be formed and to document the basic functionality of the TriStation.

It is important to note that TriStation is a proprietary network protocol and there is no public documentation detailing its structure or how to create software applications that use it.


  1. The initial theory of the Mandiant researchers was that the authors purchased a Triconex controller and software for their own tests and reverse engineering. 
  2. The second hypothesis is that it was the demo version of the software, which allows sufficient reverse engineering of TriStation for the framework.
  3. Another idea would be the theft of TriStation Python libraries from companies, subsidiaries or ICS system integrators, which were used for the development of the TriStation base and, consequently, the TRITON malware
  4. However, they could have borrowed TriStation software or Triconex hardware and Python connectors, owned by the government, that is, using them legitimately. And it was exactly what the authors did: they reverted the original code to reinforce the development of the TRITON Malware structure.

In this way, they act more intelligently and not harder.

But after the reverse engineering of legitimate software and the implementation of the basic concepts of TriStation, the authors still had an incomplete understanding of the protocol, which made it possible to discover their performance.

Attacker’s Intent:


In the past, the attacks on ICS have different motivations, such as financial gains, political reasons, military objectives among others.

In this particular case, the motivation seemed to be the physical damage due to the safety direction of the Triconex system controllers (SIS)

What to Do?

It was found that the development process was easier than was thought at the beginning of the analysis.

In view of this, other hackers are expected to adopt similar approaches in the development of tools to explore ICS systems, mainly when invaders migrate from an IT space to OT.

The recommendation is, in addition to continuing to monitor the behavior and actions of these groups, conduct public discussions about ICS technologies and integrate manufacturers with companies, so that they share good practices and avoid intrusions in their environments, affecting technologies dominant industrial security.

The security teams must thoroughly evaluate the ICS systems to identify the different types and levels of risk and install the corresponding safeguards