Sergey Nivens - Fotolia

Creators of Trisis malware have expanded their ICS attacks

News roundup: Dragos researchers say the group behind the Trisis malware has expanded its ICS attacks. Plus, Roaming Mantis malware now targets iOS devices, and more.

The group behind the Trisis malware attack on an oil and gas company in Saudi Arabia last year has also now hacked industrial firms in other countries, according to new research.

Cybersecurity company Dragos Inc. published a report this week that identifies a new threat group called Xenotime as the authors of the Trisis malware, also known as Triton, and warned of a similar malware campaign that has been targeting unnamed companies globally with industrial control system (ICS) attacks.

"Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential, future disruptive -- or even destructive -- event," Dragos said in its blog post about the threat. "The group created a custom malware framework and tailor-made credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As Xenotime matures, it is less likely that the group will make this mistake in the future."

Xenotime has likely been active since 2014, according to Dragos, but got most of its attention in December 2017 when FireEye Inc. published the details of the Trisis malware, which targeted the Triconex safety instrumented system of Schneider Electric. This resulted in the shutdown of an oil and gas company in Saudi Arabia.

"Trisis was an escalation of the type of attacks historically targeting ICS systems," Dragos said. "Targeting a safety system indicates significant damage and loss of human life were either intentional or acceptable goals of the attack, a consequence not seen in previous disruptive attacks such as the 2016 CrashOverride malware that caused a power loss in Ukraine."

A week after FireEye reported the Trisis malware attack, Schneider Electric posted a file that contained pieces of the malware's framework, and, before it could be taken down, the file was downloaded and made publicly available.

Trisis only affected one industrial control system, but the new variant targeting companies globally affects multiple systems.

The report didn't include any technical details about the new hacks, but Dragos founder and CEO Robert M. Lee took to Twitter to explain the importance of the findings. Lee said the updates to Xenotime's campaign are significant because "it means that engineering/operations must truly consider cyber components to safety systems."

"It's not a high probability you'll be targeted," Lee added. "But this isn't an isolated threat anymore."

In other news:

  • Amazon Web Services is selling facial recognition software to law enforcement, according to a report from Motherboard and documents obtained by the American Civil Liberties Union (ACLU). The software, called Amazon Rekognition, uses real-time facial recognition technology and is being tested by some law enforcement agencies, including the Orlando, Fla., police department. Amazon Rekognition scans faces in public and compares them to an Amazon database of photographs and videos to identify individuals such as persons of interest in crimes and missing persons. The ACLU and other civil liberties groups wrote a letter to Amazon CEO Jeff Bezos after the software was developed last year and urged Amazon to stop selling Rekognition to law enforcement.
  • The FBI repeatedly exaggerated statistics about encryption to Congress to support the bureau's arguments over going dark, according to The Washington Post. Over the course of seven months, FBI Director Christopher Wray repeatedly claimed that investigators were locked out of nearly 7,800 encrypted devices connected to crimes. The real figure, according to the report from The Washington Post, is between 1,000 to 2,000 devices. The FBI acknowledged the error this week and said the issue stemmed from its use of three different databases to store this information, which led to devices being counted more than once. The FBI has long argued for access to encrypted devices for law enforcement, and the issue took off after the 2015 San Bernardino terror attack when Apple refused a court order to hack a locked iPhone belonging to the shooter.
  • Researchers at Kaspersky Lab have reported rapid growth of the Roaming Mantis malware discovered last year. Roaming Mantis spread through domain name system hijacking and primarily targeted Android devices. Now, Kaspersky Lab says, the Roaming Mantis malware campaign also includes iOS device phishing and cryptomining on PCs. While it started in Southeast Asia, the malware also now targets users specifically in the Middle East and Europe, with support for 27 different languages. The campaign has also started to use more sophisticated evasion techniques, according to Kaspersky Lab. "The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded," said a security researcher for Kaspersky, Suguru Ishimaru, in a report detailing the advances.

Next Steps

Dragos: ICS security threats grew threefold in 2020

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
  • Understanding how GPOs and Intune interact

    Group Policy and Microsoft Intune are both mature device management technologies with enterprise use cases. IT should know how to...

  • Comparing MSI vs. MSIX

    While MSI was the preferred method for distributing enterprise applications for decades, the MSIX format promises to improve upon...

  • How to install MSIX and msixbundle

    IT admins should know that one of the simplest ways to deploy Windows applications across a fleet of managed desktops is with an ...

Cloud Computing