The Big Picture Around A Second TRITON Incident

Who should care?

FireEye’s recent exposure of further TRITON operator activity has drawn a lot of attention. Besides actioning the TTPs we disclosed, organizations have asked us for further insight. Given that the TRITON operators won’t necessarily attack every industrial environment, what lessons can we learn about attackers?

Learn More

Our discovery of new TRITON activity underscores that any industrial environment whose disruption would make headlines is a possible target. Sophisticated ICS attacks like TRITON are one of many options in a nation-state’s disruption toolkit, which also includes more frequently-used options such as DDoS and data destruction. To better anticipate what ICS attackers might consider to be their target options, we can look at previous targets of disruptive attacks. The history of these incidents tells us that it doesn’t so much matter what kind of organization suffers; what attackers value is achieving the desired effect on an intended audience. We’ve seen disruptive attacks against banks, news media, software repositories, electrical utilities and many other organizations to send a message or advance political objectives.


So—returning to TRITON—what our latest discovery says about the state of threats in general is that nation-states are increasingly willing and able to include complex, specialized industrial equipment and industrial environments in their large scope of target options for disruptive attacks, limited not by industry or geography, but by possible effects.

Attackers seeking to perform TRITON-like attacks have probably previously conducted successful intrusions that have not been discovered. Since these attacks can be so complex and impactful, well-resourced attackers are likely to reserve some of their best stealth practices for them. The longest intrusion dwell-times before discovery we reported in this year’s M-Trends report stretched over 2,000 days.


If the timeframe for a skilled intrusion to go undiscovered can stretch into years, and physical disruption is an area where nation-states might use their best stealth tactics, then even important discoveries such as TRITON cases may represent just a fraction of possible disruptive attacks that threat actors already have prepped globally, waiting for a need to pull the trigger. Furthermore, even discovered incidents that don’t appear to be ICS exploitation cases could signify interest from such attackers. Nation-states use off-the-shelf tools that blend in with “commodity” threats, and an actor might be able to manipulate industrial equipment without ICS-tailored payloads, through tactics such as exploiting operator interfaces.

To recap, what we can take away from the latest TRITON discovery is that virtually any critical infrastructure organization—or other prominent ICS operator—can benefit from anticipating attackers’ actions. We know that politically motivated actors are interested in exploiting whatever targets they need to for intended effect, and the TRITON incidents highlight that their options include many industrial environments. Organizations can protect themselves by tracking which attackers may be incentivized to target them, understanding those operators’ playbooks, looking for pre-existing compromises and positioning security controls against future intrusions.

Read more threat research on the TRITON actor on FireEye's blog

Learn More