From 90e37eb2723f6ca51405bb632bba5c0778a0151f Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 14 Dec 2017 17:13:18 +0100
Subject: [PATCH] TRITON added

---
 clusters/tool.json | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/clusters/tool.json b/clusters/tool.json
index 5a2624c..04c7c9c 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -3133,6 +3133,15 @@
           "https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/"
         ]
       }
+    },
+    {
+      "value": "TRITON",
+      "description": " This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.  TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. ",
+      "meta": {
+        "refs": [
+          "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
+        ]
+      }
     }
   ]
 }