Triton Internet Malware: Understanding the World’s Most Deadly Malware and Its Spread

Triton Internet Malware: Understanding the World’s Most Deadly Malware and Its Spread


The Internet is one of the most useful inventions in the history of the human race. It's given us capabilities for learning, business, and entertainment that were previously unfathomable.

But, with the Internet comes the threat of hackers. This is especially true for companies that rely on sensitive data to keep running.

Most of us are familiar with computer viruses. We may have experienced one from time to time. But, experts have recently discovered the most malicious malware yet that sets its sights on businesses:


If you want to protect yourself, you're going to need to learn everything you can. Let's take a look at everything you need to know about the Triton Internet threat.

So, Where Did it Come From?

In 2017, a chemical plant in Saudi Arabia employed the help of a third-party security consultant. What should have been a routine check turned into one of the most bone-chilling discoveries in the history of the Internet.

The consultant found that the plant's systems had been infected with a particularly concerning form of malware.

It integrated itself into the plant's emergency security systems that controlled processes like valve shutoff and pressure regulation. Everyone involved quickly realized that if the hackers so chose, they could completely prevent the plant from stopping a catastrophe.

The malware's name stems from the fact that it targeted the Triconex safety controller in the Saudi Arabian plant.

This led to another stark realization: similar security models exist in numerous other types of plants, including ones that involve nuclear power.

After its discovery, it was quickly named the most dangerous malware yet, even more so than the malware that knocked out a power grid in Ukraine.

What Does it Do?

On its own, Triton doesn't really 'do' anything. But, what it causes is much worse.

Rather than cause direct damage itself, the Triton malware seeks to disable key security processes in places like chemical plants, water treatment facilities, etc., which can severely mitigate their ability to prevent or respond to a disaster.

There's something else particularly unsettling to take note of, as well. There is no direct financial gain from Triton's existence.

Most types of malware seek to pilfer personal information like names, social security numbers, and credit card info while remaining undetected. Money is quite obviously the motive in these cases.

Triton seems to exist, however, to put human lives at risk on a large scale.

Think for a moment about the potential devastation that could be caused by disabling a nuclear power plant's key security measures. Thousands of lives could be lost and billions of dollars in property damage could occur.

Who's Behind It?

When investigating the malware and how it functioned at the Saudi chemical plant, researchers found multiple documents with Cyrillic characters.

This data, combined with an IP address they also discovered, concluded that the acquired information from the Central Scientific Research Institute of Chemistry and Mechanics facility in Moscow, Russia.

Even more alarming is that this facility is funded by the government.

As of April 10, 2019, there has been a second attack on a Middle Eastern firm that utilized Triton. Further details are still being uncovered during the investigation.

What Are The Hackers' Motives?

It's been deduced that the malware was created and implemented by a group of individuals with significant coding knowledge. Therefore, the people responsible seem to be intelligent and calculating, not reckless with an arbitrary desire for destruction.

Despite Triton being out in the world, there haven't been any catastrophes related to it. So, far, it's been more or less the same situation as finding out someone had planted a bomb in your home but hadn't detonated it.

There are a handful of possible theories as to why the hackers created Triton. These include:

  • To test their capability of bypassing critical defense systems in places where poor cybersecurity could mean widespread destruction
  • They intend to keep the software dormant at these facilities and then blackmail or extort the owners/operators of the firms in the future
  • Now that they've developed a method to remotely disable crucial security processes, they're looking for a way to remotely cause issues at these same locations

All of these scenarios are alarming, which is why putting a stop to its functionality is so crucial.

How Can I Protect My Business?

If your business doesn't offer public services like water treatment, electricity, etc.m then you're probably not very high on the hit list. But, since Triton tends to go undetected for so long, it can also be used as a form of cyber espionage.

In order to keep your systems safe, employ the following practices:

  • Always keep your anti-virus systems updated
  • Use the most current version of your computers' operating system.
  • Backup your data in two locations (one physical and one remote)
  • Train your employees to never open suspicious emails, run unidentified programs, or engage in other behavior that would put your company's network at risk.

While it's not possible to completely prevent a cyber attack, these simple steps can go a long way.

Combating The Triton Internet Threat Can Seem Difficult

But it doesn't have to be.

With the above information about Triton Internet security in mind, you'll be well on your way to keeping your business as safe as possible in the future.

Want to learn more Internet tips that can help make your life easier? Make sure to check out the rest of our blog!