Triton Ransomware Attack Targets Industrial Processes

Airgap Networks
6 min readSep 17, 2022


Cyberattacks against operational technology in critical infrastructure facilities and chemistry research institutes have grown significantly in frequency and complexity across industries recently. Cyber threats to industrial safety systems, physical safety systems, and other industrial control systems are now at the forefront of national security concerns as geopolitical tensions are reflected in cyberspace and attacker technologies progress. To effectively defend against more complex cyberattacks, it is now essential to anticipate potential changes in attacker tradecraft.


Triton malware is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). This is-targeting hacking group comes after the use of Stuxnet against Iran and the suspected use of Industroyer by the Sandworm Team against Ukraine in 2016 and 2022. In that it might prevent safety devices from carrying out their intended purpose, the Triton attack might have an adverse physical effect on ICS. According to MIT Technology Review, Triton is the world’s most murderous malware, and it’s spreading. Although the Triton attack was founded in the Middle East, the cyber actors who created it now target businesses with industrial processes like petrochemical plants or transportation systems in North America and other countries.

Modern automation and control systems for industrial processes operate on many complex safety features and control systems. Industrial control system (ICS) or Operational Technology (OT) are frequently used to describe these systems and operations.

Triton Malware Framework for OT

Advanced malware and cyber actors commonly involve command and control (C2 or C&C) channels, which utilize in all six attacks by the Triton malware group. C2 is used for upgrades, data exfiltration, new dangerous cyber activities aimed at modules and capabilities, and occasionally allowing manual control by personnel. While spear phishing is considered the most common initial attack vector for getting past malware firewalls, there are other techniques, such as watering-hole attacks in which a reputable third-party website is hijacked and malware physically delivered using infected media, such as a USB drive.

Security researchers found that the Triton attackers moved to interrupt, disrupt, or destroy the industrial process after acquiring remote access. Multiple security businesses’ investigations have turned up a sophisticated malware framework that incorporates PowerPC shellcode (the Triconex architecture) and implementation of the exclusive TriStation communication protocol. With the malware, the attackers could remotely insert shellcodes into the target’s system memory and easily connect with safety controllers. Triton malware was installed on the security system by attackers using OT networks. If the SIS had not started safe shutdown processes, the virus could have caused facility damage, system outage, or even death. It also updated in-memory firmware to inject dangerous programming.

Triton Malware Attack Vectors

Triton specifically targeted the Triconex safety controller, which Schneider Electric manufactures. According to the business, Triconex safety controllers are implemented in 18,000 industries, including nuclear, oil, and gas refineries, chemical plants, etc. Cyber actors target Safety instrumented system (SIS) engineering workstations for which they were not involved in traditional espionage or data exfiltration. Instead, the attackers focused on network reconnaissance, lateral movement, and maintaining a presence in the target environment. Once they gained access to an SIS workstation, the Triton malware focused on deploying TRITON.SIS attacks call for a high level of process understanding (by analyzing acquired documents, diagrams, device configurations, and network traffic). SIS controllers are the final line of defense against an actual occurrence. In addition, they also used different techniques to evade detection — they mimicked legitimate administrator activities.


Cyber security Investigation results suggest that spear phishing was the likely method used by the attackers to infiltrate the network. The attackers first installed triton malware, infected the critical system, switched to the leading network to access the ICS network, and attacked SIS controllers. Hackers might take control of them from remote areas through the internet by interfering with the security mechanisms. In the worst-case scenario, they may have disabled the sensors or provided them with false information to let a potentially fatal accident happen. Every new IoT device adds a new vulnerability to the local network as it joins, whether in a home or workplace. The streamlined operating system that these smart appliances rely on to carry out their essential operations might sometimes pose more danger. Hackers will constantly search for the fastest means to gain access. That implies they may start their attack through another device even if their ultimate objective is to knock down a back-end server. It is increasingly challenging to stay secure online as networks expand with more network-connected IoT and IIOT devices.

SIS systems play a vital role in protecting from environmental variables. For Zero-Day vulnerabilities in ICS, identifying and detecting mechanisms are not well prepared because of dependency on 3rd-party vendors and network visibility. Network segmentation vis agentless segmentation gateway is required for surviving critical attacks. Airgap Zero Trust Segmentation provides comprehensive control and visibility across the entire traffic flow.

The effects of a cyber incident might be mild when defensive mechanisms prevent an attacker from escalating their attack, or they can be pretty serious. The consequences might be disastrous in the case of a safety protection system (SPS), which is intended to safeguard lives while avoiding harm to property and the environment. There is a need to implement user and autonomous risk policies that block high impacts on user actions like device enrollment and MFA registration. However, Airgap has provided the agentless Secure Access Access solution that provides the needed security layer with MFA and SSO for any healthcare or industrial control device, a consumer from any location, and offers multiple gateways for a set of applications and DNS.

Mitigation and Detection

The first step in preventing an attack is recognition. At the risk of misinterpreting, this involves continuously updating security measures. Most reliable virus protection software provides daily patch releases to counter new dangers. Patch management is critical for software configuration, and it helps reduce the attack surface and contain the threat. Airgap Zero Trust Segmentation provides an incident response mechanism that Centralized monitoring and updates the user with alerts and recommendations to prevent attacks.

To make it easier for engineers to design the Interprocess Communication (IPC) and SIS devices, they must have complete access to the engineering network. However, across all network access points, their access must be isolated, restricted, and monitored. To prevent privileged credentials from being exposed to outside engineers, privileged RDP sessions must be isolated by employing single sign-on (SSO) for both session initiation and all privileged sessions. These attacks indicate the need for Zero Trust Segmentationand agentless segmentation in the organization network. Airgap has designed the perfect forklift-free Zero Trust agentless segmentation solution that will provide security service tunnels without installing endpoint agents and make it vendor agnostic using netmask. When a netmask is all at once, the device will only send the packet to the default segmentation gateway with the cleanest approach to capture the packet and provides centralized cloud-delivered security management and autonomous policy framework. Airgap’s patented Ransomware Kill Switch can be deployed to eliminate the Triton attack propagation in your critical infrastructure.

The ICS industry also needs to check the security state of all connected OT/IT software configurations. There is a need for activity monitoring for tools connecting with your system and their network traffic logs. The organization should have extra pair of Security Operations Analysts working on monitoring the traffic and thread hunting with SIEM/SOAR solutions. Airgap Zero Trust Segmentation provides built-in integration with SIEM/SOAR solutions and the continuous monitoring of the network. It analyzes every IP address associated with IoT, IoMT, IIoT, and OT critical infrastructure.

Attackers learn from one other and previous attacks what tactics are most effective. Staying safe is essential due to the fast evolution of ICS threats. To prevent serious breaches, manufacturers, plant managers, governments, and the cybersecurity sector must cooperate. For more information, check out Airgap for Critical Infrastructure at



Airgap Networks

Zero Trust Isolation — The Best Defense Against Ransomware Propagation.