The hackers behind 'the most murderous malware' in the world are back and have infected a key infrastructure facility, security analysts say.

Researchers at the firm FireEye say traces of a dangerous malware called Triton have cropped up for the second time since since 2017, when hackers leveraged it to gain control of critical processes at an oil plant in Saudi Arabia.

In a report, the firm did not reveal exactly where the attack happened, who the target was, or even how much damage, if any, was done, though it did highlight some of the group's apparent intentions.

A Saudi Arabian oil plant was the subject of an attack from the same hackers in 2017.

WHAT IS TRITON MALWARE? A murderous malware called Triton was behind attacks targeting a Saudi Arabian oil refinery in 2017. Recent reports reveal that the hackers could have cause a deadly gas leak or explosion using the tool. Security analysts, FireEye, have highlighted Triton's capabilities and linked it to a Russian research lab. The hacking group has developed other tools which FireEye says has infected another unnamed facility. It's unclear what damage hackers carried out, if any. More victims are likely still out there, says the firm. Advertisement

'The actor gained a foothold on the distributed control system (DCS) but did not leverage that access to learn about plant operations, exfiltrate sensitive information, tamper with the DCS controllers, or manipulate the process,' reads the report.

It follows a report from MIT Technology Review earlier this year that warned the malware is 'murderous' and spreading.

By masking their activity through innocuous file names, posing as legitimate administrative tools, and more, researchers say the group was able to stay undetected within the facility's systems for a year before compromising it's Safety Instrumented System (SIS).

SIS is a critical safety tool uses to monitor processes within various plants and other infrastructure facilities.

While the nature of recent attacks is unclear, as reported by by E&E last month, attacks from the group in 2017 could have been fatal.

'Two emergency shutdown systems sprang into action as darkness settled over the sprawling refinery along Saudi Arabia's Red Sea coast,' reads the report.

Hackers gained access to the system a year prior to compromising critical safety systems.

'The systems brought part of the Petro Rabigh complex offline in a last-gasp effort to prevent a gas release and deadly explosion. But as safety devices took extraordinary steps, control room engineers working the weekend shift spotted nothing out of the ordinary, either on their computer screens or out on the plant floor.'

Last year FireEye linked the Triton malware to a Russia's Central Scientific Research Institute of Chemistry and Mechanics research lab in Moscow and say that the hackers have been active since 2014.

The potential for more, yet-to-be decteted victims is likely, according to them.

According to Motherboard, withholding the disclosure of victims and details of attacks is a fairly common practice among firms who may be obligated by contract not to do so.

'Critical infrastructure facility' often refers to large scale operational facilities like nuclear power plants, water treatment centers, or power grids,' the report states.