Hackers have been spotted attempting to manipulate critical industrial safety systems to cause physical damage.
The malware spotted by cybersecurity firm FireEye is one of the few examples of hacking tools designed to cause real-world harm rather than steal money or data.
It was found by FireEye's Mandiant team responding to an alert from an industrial customer after a compromise had been detected on its computers.
The malware was designed to manipulate the systems which provide emergency shutdown to prevent physical damage being caused if industrial processes go wrong.
FireEye stated that this was not evidence that such an attack was imminent as attackers often penetrate systems to retain the capability to launch such attacks in the future, without the intention of doing so.
The malicious software specifically targeted the customer's Safety Instrumented Systems, autonomous controls that independently monitor industrial processes.
By manipulating what the safety systems would go into alert over, the malware's impact could have extended to "human safety, the environment, or damage to equipment" according to FireEye.
Although rare, malware has been used to cause physical damage before. In 2010, the US and Israel deployed the Stuxnet virus to destroy a number of Iran's nuclear centrifuges.
Stuxnet reportedly destroyed up to 1,000 centrifuges at the Iranian uranium enrichment facility in Natanz.
Another hacking tool called Industroyer, believed to have been sponsored by the Russian state, was identified targeting the Ukrainian power grid in 2016.
FireEye said it has "not connected this activity to any actor we currently track" regarding Triton, however it assessed "with moderate confidence" that it was developed by "a nation state".
"The targeting of critical infrastructure as well as the attacker's persistence, lack of any clear monetary goal and the technical resources necessary to create the attack framework suggest a well-resourced nation state actor," the researchers said.
"The targeting of critical infrastructure to disrupt, degrade, or destroy systems is consistent with numerous attack and reconnaissance activities carried out globally by Russian, Iranian, North Korean, US, and Israeli nation state actors.
More from Cyberattacks
"Intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency."
FireEye did not name the organisation targeted, nor the region in which it was located.