high_confidence

Triton Safety Instrumented System Attack

[Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030) was a campaign employed by [TEMP.Veles](https://attack.mitre.org/groups/G0088) which leveraged the [Triton](https://attack.mitre.org/software/S1009) malware framework against a petrochemical organization.(Citation: Triton-EENews-2017) The malware and techniques used within this campaign targeted specific Triconex [Safety Controller](https://attack.mitre.org/assets/A0010)s within the environment.(Citation: FireEye TRITON 2018) The incident was eventually discovered due to a safety trip that occurred as a result of an issue in the malware.(Citation: FireEye TRITON 2017)

Start date

1 June 2017

End date

1 August 2017

Techniques

Attributed actors

TEMP.Veles· primary

Techniques (10)

collection1

T1056.003Web Portal Capture

command-and-control1

T1573Encrypted Channel

credential-access2

T1003.001LSASS Memory

T1056.003Web Portal Capture

execution2

T1059.001PowerShell

T1053.005Scheduled Task

persistence1

T1053.005Scheduled Task

privilege-escalation1

T1053.005Scheduled Task

reconnaissance1

T1595Active Scanning

resource-development2

T1587.001Malware

T1588.002Tool

stealth2

T1036.005Match Legitimate Resource Name or Location

T1027.005Indicator Removal from Tools

Indicators of compromise

No IOCs linked to this campaign yet.