Industrial cybersecurity company Dragos announced that dangerous hackers from Xenotime were now targeting power grids in the United States. The group, known as Xenotime is believed to be responsible for the now infamous Triton malware attacks on the oil and gas industry.
“Industrial control system (ICS) cyber threats are proliferating. More capable adversaries are investing heavily in the ability to disrupt critical infrastructure like oil and gas, electric power, water, and more,” Dragos said in the post. “Attacking any industrial sector requires significant resources, which increases as capabilities and targeting expand. The high resource requirement previously limited such attacks to a few potential adversaries, but as more players see value and interest in targeting critical infrastructure – and those already invested see dividends from their behaviors – the threat landscape grows.”
Xenotime first rose to prominence in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye each reported Xenotime was responsible for an operational outage at a critical-infrastructure site in the Middle East. As part of the attack Xenotime used Triton malware to target the facility’s safety processes.
In the oil and gas industry, safety systems use both hardware and software to prevent unsafe conditions. For example, if gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, safety systems work to automatically close valves or initiate cooling processes. These systems are integral to preventing dangerous and life-threatening accidents.
Following the 2017 attacks, Dragos labeled Xenotime the world’s most dangerous cyber threat. Then, this past April, FireEye reported that the Triton malware was used in an attack on another industrial facility.
The recently discovered Xenotime activity involved network scans and reconnaissance on multiple components across electric grids in the U.S. and in other regions. This past February, Dragos discovered that starting in late 2018, Xenotime began probing the networks of electric utility organizations using similar tactics to the group’s operations against oil and gas companies.
“XENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes,” Dragos said in a statement. “Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar trade-craft. Xenotime expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.”
Xenotime’s probes have taken several different forms. For example, in credential-stuffing attacks, the hackers attempt to use passwords they have collected through earlier attacks. Another method is a network scan that allows hackers to map and catalog the various computers, routers, and other devices in the system and the network ports connected to them.
In order to combat the hacks, Dragos recommends organizations work to improve the visibility and awareness around ICS network activity. Dragos says organizations should also utilize ICS-specific threat intelligence to identify unique threat behavior patterns, evolving adversary methodology, and specific conduct. Additionally, Dragos suggests organizations leverage all available information sources and fuse them to gain a complete view of ICS network operations.
“For policymakers and risk managers, it is important to note that cross-geography and cross-industry collaboration is critical,” says Dragos. “Critical infrastructure cannot be siloed as the threat is operating across verticals and may even use one against the other; for instance, targeting electric to deny power to an oil refinery. Utilities, companies, and governments must work cooperatively around the world and across industrial sectors to jointly defend lives and infrastructure from the increasing scope and scale of offensive critical infrastructure cyber attack.”