{"id":2484,"date":"2018-06-08T17:45:00","date_gmt":"2018-06-08T17:45:00","guid":{"rendered":"https:\/\/www.darkreading.com\/operations\/fireeye-finds-new-clues-in-triton-trisis-attack\/d\/d-id\/1332008"},"modified":"2018-06-08T17:45:00","modified_gmt":"2018-06-08T17:45:00","slug":"fireeye-finds-new-clues-in-triton-trisis-attack","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/","title":{"rendered":"FireEye Finds New Clues in TRITON\/TRISIS Attack"},"content":{"rendered":"<header>\n<\/header>\n<p><span class=\"strong black\">Attackers behind the epic industrial-plant hack reverse-engineered the safety-monitoring system&#8217;s proprietary protocol, researchers found.<\/span> <\/p>\n<p class=\"\">Researchers from FireEye have found proof that the hackers who breached and inadvertently shut down a safety monitoring system in a Middle East industrial plant reverse-engineered the protocol software.<\/p>\n<p>&#8220;Instead of just being a theory that they reverse-engineered something or used legitimate resources to augment their development on it, now we have evidence that supports that,&#8221; says Steve Miller, a researcher with FireEye who made the discovery after studying the malware&#8217;s Python scripts.<\/p>\n<p>The so-called <a href=\"https:\/\/www.darkreading.com\/vulnerabilities---threats\/schneider-electric-triton-trisis-attack-used-0-day-flaw-in-its-safety-controller-system-and-a-rat\/d\/d-id\/1330845\" target=\"_blank\">TRITON\/TRISIS attack<\/a>\u00a0targeted\u00a0Schneider Electric&#8217;s emergency shutdown system\u00a0\u2013 Triconex Tricon \u2013 with custom malware. Two of\u00a0the plant&#8217;s safety-instrumented systems (SIS) controllers entered a failed safe mode that shut down the industrial process and ultimately led to last year&#8217;s discovery of the malware.<\/p>\n<p>Schneider Electric later discovered a zero-day privilege-escalation vulnerability in its Triconex Tricon safety-controller firmware that it says helped the attackers wrest control of the emergency shutdown\u00a0system. They also found a remote access Trojan (RAT) in the TRITON\/TRISIS malware that they say represents the first-ever RAT to infect SIS equipment.<\/p>\n<p>SISes monitor critical systems to ensure they are operating within acceptable safety thresholds; when they are not, the SIS automatically shuts them down. Schneider&#8217;s proprietary TriStation UDP network communications protocol is used by the TriStation application to configure the Triconex SIS controllers.<\/p>\n<p>While recently studying the TRITON\/TRISIS malware framework&#8217;s implementation of the legitimate protocol, FireEye researchers noticed that the malware&#8217;s TriStation version drew some of its capabilities from the legitimate Triconex software. There also were some &#8220;sloppy&#8221; elements of the attackers&#8217; version of TriStation, including some typos, Miller notes.<\/p>\n<p>&#8220;They didn&#8217;t know enough about the specific function of the protocol code,&#8221; he says.<\/p>\n<p>Just how the attackers got their hands on the TriStation software remains unclear,\u00a0Miller\u00a0says. &#8220;We found these items on VirusTotal,&#8221; he says of the code his team studied. FireEye initially had theorized that the attackers had purchased a Triconex controller and software for their own use and reverse-engineering. If they did, though, the software didn&#8217;t give them the intel to know which firmware version the targeted plant was running.<\/p>\n<p>Dragos researcher Reid Wightman, whose team also has been studying the attack, applauds FireEye\u2019s findings and says they raise some &#8220;interesting questions.&#8221; The attackers, he says, likely had to have the hardware to test and create the TRISIS\/TRITON malware and appear to have reverse-engineered the TriStation 1131 software in order to glean intel on the TriStation protocol. But his team doesn&#8217;t believe the attackers obtained TriStation&#8217;s Python library from a vendor.<\/p>\n<p>&#8220;Due to some oddities in the implementation of the protocol in the TRISIS malware, we have some doubts that the software came from an ICS vendor,&#8221; Wightman says. &#8220;We would expect a commercially developed library for the protocol to be more fully implemented, while the TRISIS implementation is really doing the bare minimum\u00a0\u2013\u00a0only pulling out the fields that are absolutely required to do a logic update and pull off the exploit.&#8221;<\/p>\n<p>The attackers likely wrote the Python code themselves, after reverse-engineering the TriStation 1131 software, which is available for purchase online, Wightman says.<\/p>\n<p><strong>Sharing Intel<br \/><\/strong>Andrew Kling, Schneider Electric&#8217;s\u00a0director of cybersecurity and software practices, says TRITON\/TRISIS was a sophisticated targeted attack that only a well-resourced attacker could pull off.<\/p>\n<p>&#8220;This was a highly complex, detailed, and targeted attack that could only have been executed by someone with incredible resources at their disposal,&#8221; Kling says. &#8220;It remains a call to action for industry and reinforces the need for industrywide collaboration, transparency, and culture change to ensure our most critical infrastructure and volatile operations are secure from attack.&#8221;<\/p>\n<p>That&#8217;s why it&#8217;s key for researchers to share their analyses of this attack, as well as others, according to Kling. He says his company continues to call vendors, users, third-party providers, integrators, standards bodies, industry groups, and government agencies &#8220;to develop a new approach to ensure legacy and new technologies are able to withstand increasingly sophisticated attacks.&#8221;<\/p>\n<p>Sharing intel on the TRITON\/TRISIS attack is what FireEye wants, too. &#8220;[<a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2018\/06\/totally-tubular-treatise-on-triton-and-tristation.html\" target=\"_blank\">Our new research<\/a>] is just one dataset and aperture into this,&#8221; Miller says.\u00a0FireEye wants to work with other researchers and compare findings, he adds.<\/p>\n<p>Miller also says he was surprised to see how relatively simple it was to develop software mimicking TriStation. &#8220;I&#8217;m not an ICS expert,&#8221; he says, but he and his team were able to discern how TriStation works using Triton relatively quickly. &#8220;We picked this up a month-and-a-half ago. If it was easy for us using public knowledge, one might wonder what a professional, state-sponsored attacker can do.&#8221;\u00a0\u00a0<\/p>\n<p>Even so, the attackers behind TRITON\/TRISIS somehow stumbled, causing their malware to inadvertently shut down the emergency shutdown systems and ultimately expose the malware. What appeared to be an attempt to wreak some sort of cyber-physical damage failed, according to experts who studied the attack.\u00a0<\/p>\n<p>&#8220;They had problems. It&#8217;s plausible that was because they were still testing [the malware],&#8221; Miller says.<\/p>\n<p><strong>Related Content:<\/strong><\/p>\n<p><strong>\u00a0<\/strong>\u00a0<img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/img.deusm.com\/darkreading\/MarilynCohodas\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png\" alt=\"\" width=\"380\" height=\"49\"\/><\/p>\n<p><strong>Top industry experts will offer a range of information and insight on who the bad guys are \u2013 and why they might be targeting your enterprise.\u00a0<\/strong><strong>Click for\u00a0<a href=\"https:\/\/event.darkreading.com\/3453?keycode=sbx&amp;cid=smartbox_techweb_upcoming_webinars_8.500000825\" target=\"_blank\">more information<\/a><\/strong><\/p>\n<p><span class=\"italic\">Kelly Jackson Higgins is Executive Editor\u00a0at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise &#8230; <a href=\"https:\/\/www.darkreading.com\/author-bio.asp?author_id=322\">View Full Bio<\/a><\/span> <\/p>\n<p><span class=\"smaller strong red allcaps\">More Insights<\/span><\/p>\n<p> Read More <a href=\"https:\/\/www.darkreading.com\/operations\/fireeye-finds-new-clues-in-triton-trisis-attack\/d\/d-id\/1332008?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attackers behind the epic industrial-plant hack reverse-engineered the safety-monitoring system&#8217;s proprietary protocol, researchers found. Read More <a href=\"https:\/\/www.darkreading.com\/operations\/fireeye-finds-new-clues-in-triton-trisis-attack\/d\/d-id\/1332008?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple\">HERE<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[151],"tags":[],"class_list":["post-2484","post","type-post","status-publish","format-standard","hentry","category-darkreading-ti"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>FireEye Finds New Clues in TRITON\/TRISIS Attack 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"FireEye Finds New Clues in TRITON\/TRISIS Attack 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2018-06-08T17:45:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/img.deusm.com\/darkreading\/MarilynCohodas\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"FireEye Finds New Clues in TRITON\\\/TRISIS Attack\",\"datePublished\":\"2018-06-08T17:45:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/\"},\"wordCount\":931,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/img.deusm.com\\\/darkreading\\\/MarilynCohodas\\\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png\",\"articleSection\":[\"DarkReading |TI\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/\",\"name\":\"FireEye Finds New Clues in TRITON\\\/TRISIS Attack 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/img.deusm.com\\\/darkreading\\\/MarilynCohodas\\\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png\",\"datePublished\":\"2018-06-08T17:45:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/#primaryimage\",\"url\":\"https:\\\/\\\/img.deusm.com\\\/darkreading\\\/MarilynCohodas\\\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png\",\"contentUrl\":\"https:\\\/\\\/img.deusm.com\\\/darkreading\\\/MarilynCohodas\\\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fireeye-finds-new-clues-in-triton-trisis-attack\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"FireEye Finds New Clues in TRITON\\\/TRISIS Attack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"FireEye Finds New Clues in TRITON\/TRISIS Attack 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/","og_locale":"en_US","og_type":"article","og_title":"FireEye Finds New Clues in TRITON\/TRISIS Attack 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2018-06-08T17:45:00+00:00","og_image":[{"url":"https:\/\/img.deusm.com\/darkreading\/MarilynCohodas\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"FireEye Finds New Clues in TRITON\/TRISIS Attack","datePublished":"2018-06-08T17:45:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/"},"wordCount":931,"commentCount":0,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/img.deusm.com\/darkreading\/MarilynCohodas\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png","articleSection":["DarkReading |TI"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/","url":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/","name":"FireEye Finds New Clues in TRITON\/TRISIS Attack 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/#primaryimage"},"thumbnailUrl":"https:\/\/img.deusm.com\/darkreading\/MarilynCohodas\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png","datePublished":"2018-06-08T17:45:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/#primaryimage","url":"https:\/\/img.deusm.com\/darkreading\/MarilynCohodas\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png","contentUrl":"https:\/\/img.deusm.com\/darkreading\/MarilynCohodas\/InSecurityvplug-368592_DR18_DR-VE-Logo-Signature.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/fireeye-finds-new-clues-in-triton-trisis-attack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"FireEye Finds New Clues in TRITON\/TRISIS Attack"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/2484","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=2484"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/2484\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=2484"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=2484"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=2484"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}