The hacking group behind intrusions targeting facilities in oil and gas industries has started probing industrial control systems (ICSs) of power grids in the U.S. and the Asia-Pacific region, researchers reported. The group, named Xenotime, is known for the Triton malware, which was used in cyberattacks that crippled an industrial plant reportedly located in the Middle East in 2017.
Security researchers and analysts at Dragos and the Electric Information Sharing and Analysis Center (E-ISAC) have been tracking the group’s activities since late 2018. They’ve found that the group has expanded their targets to at least 20 electric utilities in the U.S., scanning for and enumerating the targeted organizations’ remote login portals and vulnerabilities in their network resources.
While these activities fall short of compromising the industrial systems and causing power outages, they are a red flag that foresees Xenotime’s next move. In fact, the group’s activities don’t appear isolated. Last April, researchers at FireEye reported about the same Triton aka Trisis malware that targeted the safety instrumented systems (SISs) of another industrial facility.
Xenotime’s malware works by accessing and modifying a targeted SIS. In industrial environments, a SIS can be a combination of software and hardware that acts as an emergency measure that puts critical systems suffering from operational problems into a “safe mode” to avoid further adverse impact. By gaining access to and tampering an industrial facility’s SIS, a hacker can effectively disrupt its operations or even cause physical damage.
For now, Dragos and the E-ISAC have observed Xenotime performing only credential stuffing, network scanning, and reconnaissance. But given the hacking group’s history, it is expected to use these for their future intrusions and malware campaigns.
Indeed, the increasing ubiquity of ICSs or IIoT devices in enterprise settings should spur organizations into strengthening their security posture against threats like Triton or Stuxnet, as these can have disruptive or destructive consequences when successfully deployed on an exposed or vulnerable ICS or IIoT device.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).