In a new troubling escalation, hackers behind at least two potentially fatal intrusions on industrial facilities have expanded their activities to probing dozens of power grids in the US and elsewhere, researchers with security firm Dragos reported Friday.
The group, now dubbed Xenotime by Dragos, quickly gained international attention in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye independently reported Xenotime had recently triggered a dangerous operational outage at a critical-infrastructure site in the Middle East. Researchers from Dragos have labeled the group the world's most dangerous cyber threat ever since.
The most alarming thing about this attack was its use of never-before-seen malware that targeted the facilitys safety processes. Such safety instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, an SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents.
In April, FireEye reported that the SIS-tampering malware, known alternately as Triton and Trisis, was used in an attack on another industrial facility.
Proliferating across sectors
Now, Dragos is reporting that Xenotime has been performing network scans and reconnaissance on multiple components across the electric grids in the US and in other regions. Sergio Caltagirone, senior VP of threat intelligence at Dragos, told Ars his firm has detected dozens of utilities—about 20 of them located in the US—that have been subjected to Xenotime probes since late 2018. While the activities indicate only an initial exploration and theres no evidence the utilities have been compromised, he said the expansion was nonetheless concerning.
“The threat has proliferated and is now targeting the US and Asia Pacific electric utilities, which means that we are no longer safe thinking that the threat to our electric utilities is understood or stable,” he said in an interview. “This is the first signal that threats are proliferating across sectors, which means that now we cant be certain that a threat to one sector will stay in that sector and wont cross over.”
The probes come in multiple forms. One is credential-stuffing attacks, which use passwords stolen in earlier, sometimes unrelated breaches in hopes they will work against new targets. Another is network scans, which map and catalog the various computers, routers, and other devices connected to it and list the network ports they receive connections on.
“The scale of the operation, the number targeted and the regions being targeted,” Caltagirone said, “shows more than just a passing interest in the sector.”
The first-reported attack, which E&E News reported in March, targeted Saudi Arabian oil refinery Petro Rabigh and an SIS product line known as Triconex made by Schneider Electric. An analysis of the Triton malware showed its developers have performed extensive reverse engineering of the product. The SIS targeted in the attack shut down operations when it experienced an error that occurred as the hackers were performing reconnaissance on the facility. Although the hackers were likely seeking the ability to cause physical damage inside the facility, the November shutdown was likely an accident.
Less is known about the Xenotime intrusion on the second critical facility. Its still not clear, for instance, if it also targeted a Triconex SIS or whether it resulted in an outage or unsafe conditions.
So far no one knows for sure who Xenotime is. Initial suspicions pointed to hackers working on behalf of Iran. Last October, FireEye assessed with high confidence that Triton was developed with the help of the Central Scientific Research Institute of Chemistry and Mechanics in Moscow. Russia has been tied to other critical infrastructure attacks, including one in December 2015 on regional power authorities in Ukraine that left hundreds of thousands of people in the Ivano-Frankivsk region of Ukraine without electricity. That attack represented the first known hacker-caused power outage. And almost exactly one year later, a second hack tied to Russia took out power in Ukraine again.
Whoever is behind Xenotime, the group's demonstrated ability to cause physical destruction puts it in a group of threat actors that so far is known to include only four others. In a post published on Friday Dragos researchers wrote:
While none of the electric utility targeting events has resulted in a known, successful intrusion into victim organizations to date, the persistent attempts, and expansion in scope is cause for definite concern. XENOTIME has successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals. Specifically, XENOTIME remains one of only four threats (along with ELECTRUM, Sandworm, and the entities responsible for Read More – Source