FireEye is responding to a second intrusion from group behind Trisis

FireEye released details on new customized tools the company’s incident responders had found at the unnamed critical infrastructure facility.

Cybersecurity company FireEye on Wednesday said it was responding to a second intrusion at a critical infrastructure facility carried out by the group behind Trisis, the notorious malware that targets safety systems at industrial plants.

To raise awareness about the group, known as Xenotime or TEMP.Veles, FireEye also released details on new customized tools the company’s incident responders had found at the unnamed facility. “[W]e believe there is a good chance the threat actor was or is present in other target networks,” FireEye researchers said in a blog post. (Trisis is also known as Triton in the cybersecurity industry.)

While the group behind Trisis was responsible for the intrusion, the Trisis malware itself has not been found on the victim’s network, according to FireEye researcher Steve Miller.

The announcement of a second intrusion reinforces warnings from industrial cybersecurity experts that the hacking group has gone after additional targets since the dangerous Trisis malware was deployed on a Saudi petrochemical plant in the summer of 2017. The malware disrupted the Saudi plant’s safety instrumented systems, forcing it to shut down.


Perhaps unlike any before it, that incident magnified attention within the industrial control systems (ICS) security community on the nexus of safety and network security.

The study of Triton is not just about the ICS-tailored malware itself, but about the human traits behind it. Last October, FireEye published evidence that a Russian research institute helped build tools used by TEMP.Veles.

“The TRITON framework itself and the intrusion tools the actor used were built and deployed by humans, all of whom had observable human strategies, preferences, and conventions for the custom tooling of the intrusion operation,” FireEye said Wednesday, adding that its forensics were based on “multiple” Triton-related incidents.

The FireEye blog post also shows how TEMP.Veles has used a mix of custom and “commodity” hacking kits, based on need. When it appears to be struggling to get around anti-virus engines, for example, it breaks out its own malicious programs to get the job done.

“The second incident lends support to our previous assessment that this actor is present across multiple targets and has been operational since at least 2014,” Nathan Brubaker, FireEye’s senior manager for analysis, told CyberScoop.


Dragos, an industrial cybersecurity company that also tracks the group (which it calls Xenotime), has warned that Xenotime had a busy 2018, which included new targeting of entities in the U.S.. The group was associated with “several compromises of ICS vendors and manufacturers” last year, “providing potential supply chain threat opportunities and vendor-enabled access to asset owner and operator ICS networks,” Dragos said in a report published in February.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts