Triton Group Found Inside Second CNI Facility
April 11, 2019 / Phil Muncaste
A sophisticated Russian hacking group linked to an attempt to blow up a Saudi oil plant has been discovered inside a second critical infrastructure (CNI) facility, security researchers have warned. The Triton group has been active since 2014, and uses dozens of custom and commodity tools to gain access to and maintain persistence inside IT and OT networks of CNI firms, according to FireEye. The security vendor didn’t elaborate on the location or even type of CNI firm targeted in this second attack, although it emphasized that campaigns can require months or even years of careful planning, to install malware like Triton, hide it and maintain persistence until the time is right to strike. “This attack was no exception. The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritize operational security,” FireEye explained.