Security researchers are warning ICS managers that a Russian hacking group linked to an attempt to blow up a Saudi oil plant has been found inside a second critical infrastructure (CNI) facility. The sophisticated Triton hacking group has been active since 2014 and uses several different custom and commodity tools in order to gain access to and maintain their presence inside IT and OT networks of CNI firms. Triton was first identified in a Saudi Arabian oil plan in 2017.

Security researchers at Bormium recently discovered over a dozen US-based servers being used to host and distribute 10 different strains on malware through large scale phishing campaigns.