FireEye announced this morning that they were investigating activity by the "Triton actor," whose operations they've discovered in a "critical infrastructure facility." Which facility and where that facility is located aren't specified, but FireEye stresses that it's not the same plant in which Triton malware was first detected. It's worth noting that FireEye doesn't say that the destructive Triton malware itself was found in the facility, but rather that they found the "Triton actor" and some use of the "Triton framework."
The attack showed the now familiar mix of commodity and custom-built code, and this particular infestation is noteworthy for the steps it took to evade detection and establish long-term persistence in the systems it targeted. Triton has been attributed, by FireEye and others, to the Russian government. Its earlier use against a petrochemical facility was alarming for the way it affected safety systems.
Another apparently state-directed APT framework, this one designed to deploy spyware, is being reported by Kaspersky Lab. The researchers call it TahMahal, and they say it's both quiet and sophisticated, having been operated since at least 2013. The package is delivered in two modules, "Tokyo" and "Yokohama." Tokyo deploys first, then Yokohama if the target is sufficiently interesting to warrant further collection. So far an unnamed Central Asian country's networks have been affected.
On Patch Tuesday Adobe fixed forty-three bugs in Acrobat, Reader, Flash Player, Shockwave Player, Dreamweaver, XD, InDesign, Experience Manager Forms, and Bridge CC. Microsoft addressed some seventy issues, two of them privilege-escalation exploits.