Devastating hacking group expands focus to US power grid

The Xenotime hackers were previously responsible for the Triton malware that brought an oil and gas facility to its knees

Electricity pylon

Security researchers from Dragos have observed the hacking group Xenotime, known for highly effective malware attacks, has expanded its focus and is now probing the US power grid for possible entry points.

Xenotime is best known for its distribution of the 'Triton' malware back in 2017 which targeted industrial machinery and IoT devices, causing them to run unsafely, inflict physical damage to equipment and shut down production lines.

Dragos has been tracking Xenotime's activity for months and although the group has been known to target the oil and gas sector, the recent expansion into the electricity sector indicates a further investment of time and resources into breaking critical infrastructure.

The researchers said that the amount of resources required to carry out probes of this scale previously limited the number of threat actors which were capable of such attacks, but success breeds interest from other parties too.

"The high resource requirement previously limited such attacks to a few potential adversaries, but as more players see value and interest in targeting critical infrastructure - and those already invested see dividends from their behaviours - the threat landscape grows," said Dragos.

Since the group's shift into the electricity sector in February, it's believed the probes haven't been successful or caused any power outages, but Dragos stressed the importance of understanding the group's methodologies for all industrial control system (ICS) operators.

"A key element in defence against sophisticated, expanding threats is understanding threat behaviours and methodologies, beyond simply indicators of compromise," it said.

Xenotime's scanning of the power grid shouldn't be considered a fully-fledged cyber attack just yet, by probing the network and looking for entry points, it could be seen as an attempt to 'test the waters' and see where weaknesses in the network lie before potentially launching a full-scale attack.

Although no malicious action has been taken yet, Xenotime's proven ability to launch devastating attacks should be cause for concern and also offers an insight into the future threat landscape as hackers move away from mere financial returns.

"Hackers work for many motives and goals. Those who are profit minded look for the most return for the least investment," said Sam Curry, chief security officer at Cybereason. "Those who aren't profit minded either want splash, and electrical power is showy, or they want options for the extension of politics by other means. However you slice it, the electrical grid is attractive to hackers."

Dragos said the activity observed thus far is in-line with the textbook plays attackers make before launching cyber attacks on ICS infrastructure. In addition to general network reconnaissance, Dragos observed incidents of credential stuffing to attempt authentication and using stolen usernames and passwords to force entry into user accounts.

"Ultimately, Xenotime's expansion to an additional ICS vertical is deeply concerning given this entity's willingness to undermine fundamental process safety in ICS environments placing lives and environments at great risk," said Dragos.

Xenotime's most notable attack was the distribution of a malware strain dubbed 'Triton' which forced a sophisticated oil and gas facility in the Middle East to shut down.

The malware caused industrial machinery to operate unsafely to the extent where it could have seriously injured human operators, so it was shut down and eventually, the entire facility halted operations.

The malware affected Safety Instrumented System (SIS) controllers, pieces of equipment designed to regulate safe machinery, and if faults are detected then the machine is safely taken offline by the SIS controller.

It was believed the malware was designed to reprogram the SIS controller and force it to allow machinery to continue running when unsafe, which could have caused the machine to break entirely or even cause actual harm to humans.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Mastering endpoint security implementation
Security

Mastering endpoint security implementation

16 Apr 2021
US, UK say Russia was behind SolarWinds hack
cyber attacks

US, UK say Russia was behind SolarWinds hack

16 Apr 2021
1Password targets enterprise customers with Secrets Automation
IT infrastructure

1Password targets enterprise customers with Secrets Automation

14 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021