Xenotime, Hacking Group Behind Triton, Found Probing Industrial Control Systems of Power Grids in the US

The hacking group behind intrusions targeting facilities in oil and gas industries has started probing industrial control systems (ICSs) of power grids in the U.S. and the Asia-Pacific region, researchers reported. The group, named Xenotime, is known for the Triton malware, which was used in cyberattacks that crippled an industrial plant reportedly located in the Middle East in 2017.

Security researchers and analysts at Dragos and the Electric Information Sharing and Analysis Center (E-ISAC) have been tracking the group’s activities since late 2018. They’ve found that the group has expanded their targets to at least 20 electric utilities in the U.S., scanning for and enumerating the targeted organizations’ remote login portals and vulnerabilities in their network resources.

[Trend Micro Research: MQTT and CoAP: Security and Privacy Issues in IoT and IIoT Communication Protocols]

While these activities fall short of compromising the industrial systems and causing power outages, they are a red flag that foresees Xenotime’s next move. In fact, the group’s activities don’t appear isolated. Last April, researchers at FireEye reported about the same Triton aka Trisis malware that targeted the safety instrumented systems (SISs) of another industrial facility.

[READ: Cultivating Security in the Food Production Industry: Nipping IoT Risks and Threats in the Bud]

Xenotime’s malware works by accessing and modifying a targeted SIS. In industrial environments, a SIS can be a combination of software and hardware that acts as an emergency measure that puts critical systems suffering from operational problems into a “safe mode” to avoid further adverse impact. By gaining access to and tampering an industrial facility’s SIS, a hacker can effectively disrupt its operations or even cause physical damage.

For now, Dragos and the E-ISAC have observed Xenotime performing only credential stuffing, network scanning, and reconnaissance. But given the hacking group’s history, it is expected to use these for their future intrusions and malware campaigns.

[READ: Why Attackers Target Industrial Control Systems and What Enterprises can Do]

While cyberattacks on ICSs — whether for sabotage or cyberespionage — aren’t new, they will remain perennial issues in the threat landscape. Trend Micro researchers, for instance, have consistently seen cybersecurity gaps in the industrial internet of things (IIoT) — from vulnerable critical infrastructures in water and energy industries, manufacturing, and 5G network and data architecture to industrial remote controllers.

Indeed, the increasing ubiquity of ICSs or IIoT devices in enterprise settings should spur organizations into strengthening their security posture against threats like Triton or Stuxnet, as these can have disruptive or destructive consequences when successfully deployed on an exposed or vulnerable ICS or IIoT device.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.