When collating information for the OT/SCADA/ICS-specific presentations and talks I give on cybersecurity, one thing that has historically given me some heart is just how hard it is to pin down dedicated SCADA-targeting malware families. 

Malware of this type is written with incredibly specific knowledge of the individual control systems that are to be attacked. Unlike commodity malware that goes after an entire OS branch, application family or browser type - all of which will be commonly available and accessible across thousands of machines - OT-specific malware is often written with a single version of a particular industrial control system as the target. If written to attack a specific facility, there may only be a handful of machines that are actually the intended victims.

This makes the discovery of the new Triton/Trisis family of advanced SCADA-targeting malware all the more important and all the more dangerous when available in the wild. Now we learn that this is indeed the case: the discovered Triton malware samples have been published and spread to the common sites, including VirusTotal and Github.

Typical malware is often made available in this manner to aid investigation and detection - however the advanced nature, specific target, and possible nation-state involvement with Triton specifically, makes the dissemination of the malware framework a concerning development.

The combination of the now two available file samples allows general malware groups to reconstruct the entire Triton framework, although it would still require advanced knowledge and work to weaponise it.

Here's hoping we can continue to count the headline SCADA malware variants on our hands and this isn't the start of a more worrying uptick in capability and frequency of attacks.