Devastating hacking group expands focus to US power grid

The Xenotime hackers were previously responsible for the Triton malware that brought an oil and gas facility to its knees

Electricity pylon

Security researchers from Dragos have observed the hacking group Xenotime, known for highly effective malware attacks, has expanded its focus and is now probing the US power grid for possible entry points.

Xenotime is best known for its distribution of the 'Triton' malware back in 2017 which targeted industrial machinery and IoT devices, causing them to run unsafely, inflict physical damage to equipment and shut down production lines.

Dragos has been tracking Xenotime's activity for months and although the group has been known to target the oil and gas sector, the recent expansion into the electricity sector indicates a further investment of time and resources into breaking critical infrastructure.

The researchers said that the amount of resources required to carry out probes of this scale previously limited the number of threat actors which were capable of such attacks, but success breeds interest from other parties too.

"The high resource requirement previously limited such attacks to a few potential adversaries, but as more players see value and interest in targeting critical infrastructure - and those already invested see dividends from their behaviours - the threat landscape grows," said Dragos.

Since the group's shift into the electricity sector in February, it's believed the probes haven't been successful or caused any power outages, but Dragos stressed the importance of understanding the group's methodologies for all industrial control system (ICS) operators.

"A key element in defence against sophisticated, expanding threats is understanding threat behaviours and methodologies, beyond simply indicators of compromise," it said.

Xenotime's scanning of the power grid shouldn't be considered a fully-fledged cyber attack just yet, by probing the network and looking for entry points, it could be seen as an attempt to 'test the waters' and see where weaknesses in the network lie before potentially launching a full-scale attack.

Although no malicious action has been taken yet, Xenotime's proven ability to launch devastating attacks should be cause for concern and also offers an insight into the future threat landscape as hackers move away from mere financial returns.

"Hackers work for many motives and goals. Those who are profit minded look for the most return for the least investment," said Sam Curry, chief security officer at Cybereason. "Those who aren't profit minded either want splash, and electrical power is showy, or they want options for the extension of politics by other means. However you slice it, the electrical grid is attractive to hackers."

Dragos said the activity observed thus far is in-line with the textbook plays attackers make before launching cyber attacks on ICS infrastructure. In addition to general network reconnaissance, Dragos observed incidents of credential stuffing to attempt authentication and using stolen usernames and passwords to force entry into user accounts.

"Ultimately, Xenotime's expansion to an additional ICS vertical is deeply concerning given this entity's willingness to undermine fundamental process safety in ICS environments placing lives and environments at great risk," said Dragos.

Xenotime's most notable attack was the distribution of a malware strain dubbed 'Triton' which forced a sophisticated oil and gas facility in the Middle East to shut down.

The malware caused industrial machinery to operate unsafely to the extent where it could have seriously injured human operators, so it was shut down and eventually, the entire facility halted operations.

The malware affected Safety Instrumented System (SIS) controllers, pieces of equipment designed to regulate safe machinery, and if faults are detected then the machine is safely taken offline by the SIS controller.

It was believed the malware was designed to reprogram the SIS controller and force it to allow machinery to continue running when unsafe, which could have caused the machine to break entirely or even cause actual harm to humans.

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Global ransom DDoS extortionists are retargeting companies
distributed denial of service (DDOS)

Global ransom DDoS extortionists are retargeting companies

22 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
BEC scammers are using Google Forms to identify easy victims
phishing

BEC scammers are using Google Forms to identify easy victims

21 Jan 2021

Most Popular

School laptops sent by government arrive loaded with malware
malware

School laptops sent by government arrive loaded with malware

21 Jan 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
What is the Raspberry Pi Pico?
Hardware

What is the Raspberry Pi Pico?

21 Jan 2021