Triton (malware)

Triton is malware that was discovered in 2017 while attempting a cyberattack on Saudi petrochemical plants . During the attack, a control module from Schneider Electric was attacked, which is supposed to shut down a system at the last minute in an emergency. The control module is used in many systems around the world - including in oil , gas and nuclear power plants .

history

In January 2017 , computers in several petrochemical plants operated by National Industrialization Company and Sadara Chemical Company crashed. During the cyber attack, the data on the hard drives was deleted and a picture of Alan Kurdi was added. According to the involved Schneider Electric , investigators from the NSA , the FBI , the Department of Homeland Security of the United States and the Pentagon, and experts from FireEye , the intent of the cyberattack was an explosion of the petrochemical plant. It was only by chance or an error in the attacker's malicious program that the catastrophe did not occur.

The system's network was explored as early as 2014, when the attackers broke into the network through a security hole in a firewall and were able to take over a workstation remotely. This workstation was directly connected to the safety-relevant systems of the plant.

The first investigations came from Iran with help from Russia or North Korea as the perpetrator. FireEye later suspected Russia to be the culprit . Evidence for this is an IP address of a Russian institute in Moscow , file names with Cyrillic letters and the compilation of the malware during office hours in Moscow. However, these clues can just as easily be a false flag operation.