Devastating hacking group expands focus to US power grid

The Xenotime hackers were previously responsible for the Triton malware that brought an oil and gas facility to its knees

Electricity pylon

Security researchers from Dragos have observed the hacking group Xenotime, known for highly effective malware attacks, has expanded its focus and is now probing the US power grid for possible entry points.

Xenotime is best known for its distribution of the 'Triton' malware back in 2017 which targeted industrial machinery and IoT devices, causing them to run unsafely, inflict physical damage to equipment and shut down production lines.

Dragos has been tracking Xenotime's activity for months and although the group has been known to target the oil and gas sector, the recent expansion into the electricity sector indicates a further investment of time and resources into breaking critical infrastructure.

The researchers said that the amount of resources required to carry out probes of this scale previously limited the number of threat actors which were capable of such attacks, but success breeds interest from other parties too.

"The high resource requirement previously limited such attacks to a few potential adversaries, but as more players see value and interest in targeting critical infrastructure - and those already invested see dividends from their behaviours - the threat landscape grows," said Dragos.

Since the group's shift into the electricity sector in February, it's believed the probes haven't been successful or caused any power outages, but Dragos stressed the importance of understanding the group's methodologies for all industrial control system (ICS) operators.

"A key element in defence against sophisticated, expanding threats is understanding threat behaviours and methodologies, beyond simply indicators of compromise," it said.

Xenotime's scanning of the power grid shouldn't be considered a fully-fledged cyber attack just yet, by probing the network and looking for entry points, it could be seen as an attempt to 'test the waters' and see where weaknesses in the network lie before potentially launching a full-scale attack.

Although no malicious action has been taken yet, Xenotime's proven ability to launch devastating attacks should be cause for concern and also offers an insight into the future threat landscape as hackers move away from mere financial returns.

"Hackers work for many motives and goals. Those who are profit minded look for the most return for the least investment," said Sam Curry, chief security officer at Cybereason. "Those who aren't profit minded either want splash, and electrical power is showy, or they want options for the extension of politics by other means. However you slice it, the electrical grid is attractive to hackers."

Dragos said the activity observed thus far is in-line with the textbook plays attackers make before launching cyber attacks on ICS infrastructure. In addition to general network reconnaissance, Dragos observed incidents of credential stuffing to attempt authentication and using stolen usernames and passwords to force entry into user accounts.

"Ultimately, Xenotime's expansion to an additional ICS vertical is deeply concerning given this entity's willingness to undermine fundamental process safety in ICS environments placing lives and environments at great risk," said Dragos.

Xenotime's most notable attack was the distribution of a malware strain dubbed 'Triton' which forced a sophisticated oil and gas facility in the Middle East to shut down.

The malware caused industrial machinery to operate unsafely to the extent where it could have seriously injured human operators, so it was shut down and eventually, the entire facility halted operations.

The malware affected Safety Instrumented System (SIS) controllers, pieces of equipment designed to regulate safe machinery, and if faults are detected then the machine is safely taken offline by the SIS controller.

It was believed the malware was designed to reprogram the SIS controller and force it to allow machinery to continue running when unsafe, which could have caused the machine to break entirely or even cause actual harm to humans.

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

'Robin Hood' hackers donate stolen Bitcoin to charity
ransomware

'Robin Hood' hackers donate stolen Bitcoin to charity

21 Oct 2020
Mobile browser flaw exposes users to spoofing attacks
Security

Mobile browser flaw exposes users to spoofing attacks

21 Oct 2020
Lumen's digital portal simplifies the ordering of IT solutions
Business strategy

Lumen's digital portal simplifies the ordering of IT solutions

20 Oct 2020
US charges six Russians behind NotPetya and Olympics hacks
Security

US charges six Russians behind NotPetya and Olympics hacks

20 Oct 2020

Most Popular

The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
Google blocked record-breaking 2.5Tbps DDoS attack in 2017
Security

Google blocked record-breaking 2.5Tbps DDoS attack in 2017

19 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020