From d767e43669a18ede4ec94b95825541bae8bf88f2 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Thu, 14 Dec 2017 18:56:36 +0100
Subject: [PATCH] TRISIS is the main name of TRITON as discussed in
 https://twitter.com/DragosInc/status/941355602512613381

---
 clusters/tool.json | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/clusters/tool.json b/clusters/tool.json
index 04c7c9c..4d7ca66 100644
--- a/clusters/tool.json
+++ b/clusters/tool.json
@@ -3135,11 +3135,15 @@
       }
     },
     {
-      "value": "TRITON",
-      "description": " This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.  TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. ",
+      "value": "TRISIS",
+      "description": "(Dragos Inc.) The team identifies this malware as TRISIS because it targets Schneider Electric’s Triconex safety instrumented system (SIS) enabling the replacement of logic in final control elements.  TRISIS is highly targeted and likely does not pose an immediate threat to other Schneider Electric customers, let alone other SIS products. (FireEye Inc.) This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. We have not attributed the incident to a threat actor, though we believe the activity is consistent with a nation state preparing for an attack.  TRITON is one of a limited number of publicly identified malicious software families targeted at industrial control systems (ICS). It follows Stuxnet which was used against Iran in 2010 and Industroyer which we believe was deployed by Sandworm Team against Ukraine in 2016. ",
       "meta": {
         "refs": [
-          "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html"
+          "https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html",
+          "https://dragos.com/blog/trisis/TRISIS-01.pdf"
+        ],
+        "synonyms": [
+          "TRITON"
         ]
       }
     }