FireEye has released research detailing how the malware TRITON works and was created. TRITON was identified late last year by FireEye’s Mandiant team following an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems and targets Industrial Control Systems (ICS).
Since TRITON was discovered, FireEye wondered how the threat actor created the malware. This report provides insights into that. They reverse engineered a Triconex controller using legitimate software to learn the protocol, and built the malware speak in that language. FireEye has learned the development process was easier than previously thought. In light of this, the company expect other threat actors to take similar approaches in their development of tools to exploit ICS.
The report/research can be found in full here: https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-triton-and-tristation.html