threatintel
actor tracker
Named attack · kill-chain walkthrough

Triton / Trisis

First malware engineered to defeat safety-instrumented systems — designed to enable physical destruction and loss of life

Xenotime / TEMP.Veles (Russian TsNIIKhM-linked)June – August 2017 (incident); public disclosure December 14, 2017High confidence

Attributed to a Russian government research institute — the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) — by the U.S. Treasury Department (OFAC) on October 23, 2020. DOJ indicted TsNIIKhM researcher Evgeny Viktorovich Gladkikh on March 24, 2022. FireEye/Mandiant and Dragos separately tracked the actor as TEMP.Veles and Xenotime respectively.

Xenotime / TEMP.Veles spent over a year burrowing from a Saudi petrochemical facility's corporate IT network into its operational technology environment before deploying TRITON — a custom Python framework that reverse-engineered Schneider Electric's proprietary TriStation protocol and spoke directly to Triconex Safety Instrumented System (SIS) controllers. The objective was to disable the plant's last line of protection against catastrophic industrial accidents, enabling physical destruction and potential loss of life. A coding flaw in the injected shellcode caused an unintended safety trip in August 2017, shutting the plant down safely and alerting defenders — the only thing that prevented a potentially catastrophic outcome. TRITON remains the first known malware purpose-built to attack and subvert safety instrumented systems.

scene 00 / 07
XenotimeTEMP.VelesTsNIIKhM · Moscowcorporate IT networkInitial AccessVPN credential reusewatering holes · Exchange webshellsT1133 · T0817 · T1505.003IT PersistenceCryptcat / OpenSSH backdoorsIFEO injection · SecHack credsT1546.012 · T1573 · T1003.001IT networkOT / DMZIT ↔ OT boundaryoperational technology (OT) network — a Saudi petrochemical facilityOT Pivot — dual-homed DMZHMI / engineering workstation bridgepoorly segmented DCS / SIS shared networkT0886 · T0867 · T0859SIS Engineering Workstationtrilog.exe deployed (masquerades as Triconex Trilog)Py2EXE Python framework · library.zip · TriStation protocol impl.MD5: 6c39c3f4a9b73580 · 5bf3b6b2c7f3e421 · af7c2af9e69dace6 · c6d9e6baa3e23e54 (FireEye)inject.bin · imain.bin payloadsT0853 · T0871 · T0849 · T0885TriStation UDP :1502key switchPROGRAM mode ← exploitedSchneider Electric Triconex TriconSafety Instrumented System (SIS) controllerMP3008 module · firmware 10.0 – 10.4 · triple-modular redundancyreads safety process data · monitors for fault conditionsT0858 · T0868 · T0846.002Backdoor Injected into Safety Logicinject.bin shellcode written to firmware RAM — diagnostic fn pointer hookedimain.bin appended to program table — runs every controller scan cyclesupervisor privilege via firmware vuln in Tricon MP3008goal: suppress safety trips → enable physical destruction without SIS interventionT0880 · T0821 · T0874 · T0890 · T0843 · T1693.001Coding Flaw → Unintended Safety TripAugust 2017 — payload conditional check fails · TMR units detect inconsistency → MP diagnostic failureSIS enters fail-safe state → plant shuts down safely → operators alerted → IR engagementdisclosure Dec 14 2017 · T0828 · T0872 · T0820Dec 14 2017 · FireEye + Dragos disclosureApr 2019 · Dragos: 2nd Xenotime victimOct 23 2020 · OFAC sanctions TsNIIKhMMar 24 2022 · DOJ indicts Gladkikh (TsNIIKhM)
  1. Phase 01 · Initial AccessTA0001

    IT-network foothold established via VPN credentials, watering holes, and web shells

    • TEMP.Veles gained initial access to the target's corporate IT network through a combination of compromised VPN credentials, drive-by watering-hole websites targeting industrial-sector employees, and web shells planted on Outlook Exchange servers.
    • The actor operated from virtual private servers (OVH and UK-2 Limited) using dynamic-DNS domains registered through afraid.org with vfemail.net addresses, masking their Russian origin.
    • Mandiant's 2019 TTP profile confirmed the actor had been active on corporate IT networks for over a year before any OT access was observed, consistent with a methodical reconnaissance-first approach.
    • No supply-chain compromise of a software vendor was involved; the path in was through standard external-facing services with credential reuse and phishing.
    Techniques
    T1133 · External Remote ServicesT0817 · Drive-by Compromise (ICS)T1505.003 · Server Software Component: Web Shell
    Sources
  2. Phase 02 · Persistence & Lateral Movement (IT)TA0003

    Custom backdoors, IFEO injection, and SSH tunnels maintained year-long IT presence

    • TEMP.Veles deployed modified Cryptcat-based backdoors compiled as early as 2014, customized OpenSSH binaries with forged Microsoft metadata, and Bitvise-based SSH servers for persistent encrypted command-and-control — communicating over ports 443, 4444, 8531, and 50501.
    • Credential harvesting used a custom tool named SecHack (a Mimikatz alternative) alongside deployed copies of Mimikatz and PsExec; PsExec and WinRM enabled remote execution across the IT network.
    • Image File Execution Options (IFEO) registry modifications provided additional persistence without creating easily detectable scheduled-task artifacts.
    • The actor routinely timestomped files with PowerShell and deleted logs immediately after tool execution, leaving minimal forensic traces; staging directories mimicked legitimate Windows infrastructure paths.
    • RDP was used extensively for lateral movement, with PLINK tunnels created to proxy RDP sessions through compromised intermediaries.
    Techniques
    T1546.012 · Event Triggered Execution: IFEO InjectionT1573 · Encrypted ChannelT1070.006 · Indicator Removal: TimestompT1021.001 · Remote Services: Remote Desktop ProtocolT1003.001 · OS Credential Dumping: LSASS Memory
    Sources
  3. Phase 03 · IT-to-OT PivotTA0109

    Poorly segmented DMZ and dual-homed engineering stations bridged the IT–OT air gap

    • The target's network architecture included 'conduit' systems — hosts that straddled both the corporate IT network and the operational technology (OT) network, including human-machine interfaces (HMIs) and engineering workstations.
    • The SIS engineering workstation — the target host — ran Microsoft Windows and was reachable from the IT network through inadequately configured OT-segment firewall rules, a misconfiguration that Schneider Electric's advisory SEVD-2018-018-01 specifically called out.
    • The Triconex SIS and the Distributed Control System (DCS) shared a network segment (dual-homed integration), giving the actor a direct communication path to the Triconex controller over TriStation protocol once the engineering workstation was controlled.
    • TEMP.Veles deliberately limited high-risk OT-facing operations to off-hours windows to reduce the chance of being detected by plant operators monitoring live process data.
    Techniques
    T0886 · Remote Services (ICS)T0867 · Lateral Tool Transfer (ICS)T0859 · Valid Accounts (ICS)
    Sources
  4. Phase 04 · Execution on SIS Engineering WorkstationTA0002

    trilog.exe — a custom Python framework compiled to an exe — spoke the reverse-engineered TriStation protocol

    • TRITON was deployed as `trilog.exe` on the SIS engineering workstation; the name deliberately mimicked the legitimate Triconex Trilog application used for SIS diagnostics, providing masquerade cover.
    • The framework was compiled from Python using Py2EXE and shipped with `library.zip`, which contained attacker-developed implementations of the three-layer TriStation protocol (TsHi, TsBase, TsLow) — a proprietary Schneider Electric protocol that had never been publicly documented.
    • Two binary payloads accompanied the framework: `inject.bin` (the shellcode to be written into the Triconex controller's firmware memory) and `imain.bin` (the malicious control-logic program to be appended to the execution table).
    • `trilog.exe` accepted a single IP address argument, checked the controller's status via TriStation UDP port 1502, read the current program configuration, and then encoded and appended the payloads to controller program memory and execution table entries.
    • The tool included anti-forensics logic: if payload injection failed, it wrote a dummy program to controller memory and attempted recovery via the `SafeAppendProgramMod` TriStation command to minimize evidence of the intrusion.
    Techniques
    T0853 · Scripting (ICS)T0871 · Execution through API (ICS)T0849 · Masquerading (ICS)T0885 · Commonly Used Port (ICS)
    Indicators
    trilog.exe — TRITON framework main executable — Py2EXE compiled Python; masquerades as Triconex Trilog applicationinject.bin — Shellcode payload written to Triconex controller firmware memoryimain.bin — Malicious control-logic payload appended to Triconex program execution tablelibrary.zip — Reverse-engineered TriStation protocol implementation (TsHi / TsBase / TsLow layers)6c39c3f4a0…bd7718 — trilog.exe — FireEye Dec 2017 disclosure0544d425c7…31f500 — inject.bin — FireEye Dec 2017 disclosure437f135ba1…d3107f — imain.bin — FireEye Dec 2017 disclosure0face841f7…886523 — library.zip — FireEye Dec 2017 disclosure
    Sources
  5. Phase 05 · SIS Manipulation — Payload InjectionTA0106

    PROGRAM-mode key switch exploited to write backdoor shellcode directly into Triconex controller firmware memory

    • The Triconex Tricon controller's physical key switch was in PROGRAM mode — the permissive position required for writing new safety logic — enabling the TriStation protocol to accept program download commands from the engineering workstation.
    • TRITON exploited an undisclosed vulnerability in Triconex MP3008 firmware to achieve supervisor-level privileges on the controller's PowerPC processor, enabling arbitrary read and write of controller memory outside the expected program address space.
    • The shellcode (`inject.bin`) was written directly to controller firmware RAM and patched the controller's diagnostic command function pointer to redirect execution to the attacker's payload on each diagnostic cycle — a hooking technique within the safety PLC's real-time operating environment.
    • The control-logic payload (`imain.bin`) was appended to the controller's program table, meaning it would execute on every controller scan cycle alongside the legitimate safety functions — but with logic designed to suppress or bypass safety trips under attacker-directed conditions.
    • This class of manipulation — reprogramming safety logic to enable unsafe conditions — is categorized in MITRE ATT&CK for ICS as Loss of Safety (T0880); the goal was to silently render the SIS inoperative so a simultaneous DCS-delivered destructive payload could cause physical damage without the safety system intervening.
    Techniques
    T0843 · Program Download (ICS)T0858 · Change Operating Mode (ICS)T0874 · Hooking (ICS)T0890 · Exploitation for Privilege Escalation (ICS)T0880 · Loss of Safety (ICS)T0821 · Modify Controller Tasking (ICS)
    Sources
  6. Phase 06 · Unintended Safety TripTA0103

    A coding flaw caused an MP diagnostic failure — the controller entered fail-safe and shut the plant down

    • A logical flaw in the TRITON shellcode contained a conditional check that prevented the payload from persisting correctly between controller scan cycles; this caused a validation failure between the Triconex controller's redundant processing units (the Tricon's triple-modular redundancy architecture detected the inconsistency).
    • The Triconex safety system correctly interpreted the inconsistency as a fault condition and entered its designed fail-safe state, triggering an automatic plant shutdown — exactly the outcome a properly functioning SIS is designed to produce under anomalous conditions.
    • Mandiant's analysis confirmed that when the conditional flaw was patched in a lab replica environment, the payload persisted and the controller continued running — meaning the only thing that prevented the attack from succeeding was an attacker programming error.
    • The unplanned shutdown in August 2017 alerted plant operators and ultimately led to incident-response engagement with FireEye/Mandiant and the subsequent December 2017 public disclosure — if the attack had worked silently, it might never have been discovered.
    • The incident demonstrated the SIS's core design value (fail-safe on anomaly) while simultaneously exposing that a sufficiently sophisticated attacker had already bypassed every upstream control and reached the controller itself.
    Techniques
    T0828 · Loss of Productivity and Revenue (ICS)T0872 · Indicator Removal on Host (ICS)T0820 · Exploitation for Evasion (ICS)
    Sources
  7. Phase 07 · Disclosure & AttributionTA0040

    FireEye + Dragos disclosed simultaneously on Dec 14 2017; US Treasury sanctioned TsNIIKhM Oct 2020; DOJ indicted Gladkikh Mar 2022

    • On December 14, 2017, FireEye/Mandiant and Dragos published simultaneous analyses of the malware (named TRITON and TRISIS respectively, ICS-CERT calling it HatMan), marking the first public documentation of a safety-system-targeted attack framework.
    • The Schneider Electric security notification SEVD-2018-018-01 confirmed the Triconex Safety Instrumented System as the targeted platform and recommended that key switches be kept out of PROGRAM mode except during authorized maintenance windows.
    • Dragos disclosed in April 2019 that Xenotime had been identified at a second critical infrastructure victim at a different site — demonstrating the actor was not a one-target operation.
    • On October 23, 2020, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) designated the State Research Center FGUP TsNIIKhM (Central Scientific Research Institute of Chemistry and Mechanics, Moscow) for providing material support to malicious cyber operations targeting critical infrastructure, marking the first public attribution of Triton to Russia.
    • On March 24, 2022, the U.S. Department of Justice unsealed an indictment against Evgeny Viktorovich Gladkikh, a TsNIIKhM computer scientist, charging him with conspiracy to cause damage to critical infrastructure and conspiracy to commit computer fraud in connection with the TRITON attacks and a follow-on attempt against a U.S. energy company.
    Sources
Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary
  • Xenotime / TEMP.Veles (Russian TsNIIKhM-linked)
Capability
  • T1133
  • T0817
  • T1505.003
  • T1546.012
  • T1573
  • +1 more
Infrastructure
Victim
  • See narrative above
Primary sources