Triton is built to interact with Triconex Safety Instrumented System controllers and prevents emergency shutdown of such systems. The activity set of Triton was being tracked as TEMP.veles, FireEye said.
Last year's incident was at a petrochemical plant in Saudi Arabia which was forced to down shutters after the attack.
In a blog post on Tuesday, FireEye claimed the activity that led to the deployment of Triton was supported by the Central Scientific Research Institute of Chemistry and Mechanics, a Russian government-owned technical research institution located in Moscow.
iTWire has sought comment from the company about these two points.
In response, John Hultquist, director of Intelligence Analysis, said: "The attack was dangerous and put lives at risk. Once more, the fact that an error brought operations to a halt proves the operators were not totally in control.
"We shared details of this with government and commercial clients all over the world in advance."
FireEye has not identified the location of last year's Triton attack as yet. In is blog post, FireEye said that malware testing activity suggested links between TEMP.Veles and the Russian institute.
It also claimed that the behaviour patterns of the attackers was consistent with the Moscow time zone.
While FireEye did admit that the Triton malware may have been created and deployed by rogue employees of the institute in question, it said the characteristics noticed were more typical of an organisation.