Dymalloy, Electrum, and Xenotime Hacking Groups Set Their Targets on US Energy Sector
At least three hacking groups have been identified aiming to interfere with or disrupt power grids across the United States. Attempts in attacking the utilities industry are on the rise, according to a report on the state of industrial control systems (ICSs).
The oil, gas, water, and energy industries have proved to become a valuable target for threat actors looking to compromise ICS environments. As these facilities are critical to economies around the world, disruption campaigns allow adversaries to further their respective goals.
Numerous intrusions into ICS networks have demonstrated the growing interest in targeting the energy sector. Industrial security company Dragos shared that seven groups have targeted electrical facilities in North America, and three of these — Dymalloy, Electrum, and Xenotime — have the ability to facilitate disruptive or destructive attacks.
Assessing Dymalloy, Electrum, and Xenotime Hacking Groups
Dymalloy hacking group aims to have persistent access to information technology (IT) and operational technology (OT) environments by doing extensive intelligence gathering. Its campaigns have been distributed across Europe, North America, and Turkey. Some even speculate that Dymalloy has links to the Dragonfly hacking group.
The researchers said that the Electrum hacking group had the resources that allowed them to develop malware that can modify electric equipment processes and ICS protocols. The group is also being linked to the infamous attack against power grids in Ukraine.
The third hacking group, Xenotime, is the group behind the Triton attack against oil and gas facilities in the Middle East in 2017. The attackers first gained remote access to Schneider Electric’s Triconex safety instrumented system (SIS) then deployed Triton on a Windows-based workstation to reprogram the controllers. Since then, Xenotime has expanded its activities to other regions’ industrial environments, most notably probing power grids in the US.
The report further notes that original equipment manufacturers (OEMs), third-party suppliers, and telecommunications providers could play a role in significant supply chain compromises. In our 2020 security predictions, we highlighted how putting unfettered trust in third parties — particularly those involved in manufacturing environments — could jeopardize business processes and security measures by becoming springboards for compromise.
Threat actors have different motives for carrying out attacks against ICS, from financial, political, or even a military motivations. Attacks typically start with reconnaissance, where an attacker surveys the targeted environment. From there, they can employ different tactics to gain a foothold in the network. Threat actors can also take advantage of software vulnerabilities and other system weaknesses to launch payloads.
Securing industrial control systems
As physical components and digital networks increasingly get integrated, industrial environments should put more importance on security. Threat actors could see the convergence as an opportunity to move laterally across networks, jumping across IT and OT systems to perpetrate industrial espionage and process sabotage.
While attacks against ICS environments could be complex, basic cybersecurity practices, like using complex passwords and implementing two-factor authentication (2FA), on systems should be a step in the right direction. We have outlined other defensive strategies that organizations should adopt to secure their ICS implementations, such as:
- Access Policies and Control. Define control access to a device, network, or service, including physical and digital access, by establishing security roles and authentication procedures
- Intrusion Detection. Regularly monitor system activity for potentially malicious events in the network
- Network Segmentation. Separate systems into distinct security zones and implement layers of protection that will isolate critical areas of the system
- System Hardening. Lock down the functionality of various system components to prevent unauthorized access or changes, remove unnecessary functions or features, and patch any known vulnerabilities
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale