Analysis
Features
Industrial Cyber Attacks
Mining, Oil & Gas
Vendors

Xenotime Triton Hackers Target U.S Power Grids

June 16, 2019
Xenotime hacker group

Industrial cybersecurity company Dragos announced that dangerous hackers from Xenotime were now targeting power grids in the United States. The group, known as Xenotime is believed to be responsible for the now infamous Triton malware attacks on the oil and gas industry.

“Industrial control system (ICS) cyber threats are proliferating. More capable adversaries are investing heavily in the ability to disrupt critical infrastructure like oil and gas, electric power, water, and more,” Dragos said in the post. “Attacking any industrial sector requires significant resources, which increases as capabilities and targeting expand. The high resource requirement previously limited such attacks to a few potential adversaries, but as more players see value and interest in targeting critical infrastructure – and those already invested see dividends from their behaviors – the threat landscape grows.”

Xenotime first rose to prominence in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye each reported Xenotime was responsible for an operational outage at a critical-infrastructure site in the Middle East. As part of the attack Xenotime used Triton malware to target the facility’s safety processes.

In the oil and gas industry, safety systems use both hardware and software to prevent unsafe conditions. For example,  if gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, safety systems work to automatically close valves or initiate cooling processes. These systems are integral to preventing dangerous and  life-threatening accidents.

[optin-monster-shortcode id=”dv4jqlr9fih8giagcylw”]

Following the 2017 attacks, Dragos labeled Xenotime the world’s most dangerous cyber threat. Then, this past April, FireEye reported that the Triton malware was used in an attack on another industrial facility.

The recently discovered Xenotime activity involved network scans and reconnaissance on multiple components across electric grids in the U.S. and in other regions. This past February, Dragos discovered that starting in late 2018, Xenotime began probing the networks of electric utility organizations using similar tactics to the group’s operations against oil and gas companies.

“XENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes,” Dragos said in a statement. “Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar trade-craft. Xenotime expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.”

Xenotime’s probes have taken several different forms. For example, in credential-stuffing attacks, the hackers attempt to use passwords they have collected through earlier attacks. Another method is a network scan that allows hackers to map and catalog the various computers, routers, and other devices in the system and the network ports connected to them.

In order to combat the hacks, Dragos recommends organizations work to improve the visibility and awareness around ICS network activity. Dragos says organizations should also utilize ICS-specific threat intelligence to identify unique threat behavior patterns, evolving adversary methodology, and specific conduct. Additionally, Dragos suggests organizations leverage all available information sources and fuse them to gain a complete view of ICS network operations.

“For policymakers and risk managers, it is important to note that cross-geography and cross-industry collaboration is critical,” says Dragos. “Critical infrastructure cannot be siloed as the threat is operating across verticals and may even use one against the other; for instance, targeting electric to deny power to an oil refinery. Utilities, companies, and governments must work cooperatively around the world and across industrial sectors to jointly defend lives and infrastructure from the increasing scope and scale of offensive critical infrastructure cyber attack.”

Rebecca Addison
Industrial Cyber Editor. Rebecca Addison is a former newspaper editor with a decade of experience in the media industry. During her career, she has interviewed world leaders and corporate CEOs, and covered topics ranging from blockchain and CBD to healthcare and education.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Honeywell’s 2024 USB Threat Report reveals significant rise in malware frequency, highlighting growing concerns
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Enhancing industrial cybersecurity by tackling threats, complying with regulations, boosting operational resilience
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk