A highly capable hacker group reportedly behind a failed plot to blow up a Saudi petrochemical plant has now been found in a second facility.
FireEye researchers said it found traces of the so-called Triton group in another unnamed “critical infrastructure” facility. The group’s eponymous malware, previously linked to the Russian government, is designed to burrow into a target’s networks and sabotage their industrial control systems, often used in power plants and oil refineries to control the operations of the facility.
By compromising these controls, a successful attack can cause significant disruption — even destruction.
The company was tight-lipped on the intrusion at the second facility, declining to describe the type of facility or its location — or even the year of the attack.
“We assess the group was attempting to build the capability to cause physical damage at the facility when they accidentally caused a process shutdown that led to the Mandiant investigation,” said Nathan Brubaker, senior manager, analysis at FireEye, in an email to TechCrunch describing the first incident.
Brubaker declined to comment on the motives of the second facility.