chungking - Fotolia

Dragos: Xenotime threat group targeting U.S. electric companies

Dragos says Xenotime, the threat group behind a devastating ICS attack in 2017, has been probing the networks of U.S. electric utilities and also attempted network intrusions.

Critical infrastructure security vendor Dragos warned that Xenotime, the threat group behind the Trisis malware, is now targeting electric utility companies in the U.S.

Xenotime -- "easily the most dangerous" threat group publicly known, according to Dragos -- has changed its behavior. The group, which is best known for its attempt to cause an explosion at a Saudi Arabian oil and gas facility in 2017, has turned its sights to the U.S.

"Starting in late 2018, Xenotime began probing the networks of electric utility organizations in the U.S. and elsewhere using similar tactics to the group's operations against oil and gas companies," the Dragos report states. "This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion."

Dragos, which specializes in industrial control system (ICS) security, observed Xenotime collecting open source research on targeted electric companies, externally scanning those companies' networks and attempting to gain access through either credential stuffing or stolen credentials.

Dragos' report emphasized that none of the electric utility companies targeted by Xenotime, which includes companies in the Asia-Pacific region, experienced a successful intrusion. However, Dragos stressed that the "persistent attempts, and expansion in scope is cause for definite concern."

Joe Slowik, adversary hunter at Dragos, said Xenotime's shift was somewhat unexpected because while electric utilities are part of the overall energy vertical, they had different facilities, IT operations and networks than their oil and gas counterparts. "This speaks to their resources and their ambition. They might not be able to pull off a successful attack in this vertical right now, but they're signaling an intention to do so in the future," he said.

Slowik also noted that Xenotime's recent activity was "more brazen" with easily detectable scanning and intrusion attempts, compared to earlier activity from the group that was more discreet. It's unclear whether that change is a result of different personnel within the group or an alteration in its strategy, he said.

Xenotime first became publicly known in late 2017 when Dragos and FireEye jointly published research into the then-unnamed threat group's attack on Schneider Electric's Triconex Safety Instrumented System (SIS) controllers using the Trisis malware (also known as Triton). That attack, which affected a Saudi Arabian oil and gas facility earlier that year, was designed to shut down the SIS controllers and trigger a "destructive event," according to Dragos' report.

In May of 2018, Dragos gave the ICS threat group a name -- Xenotime -- and reported that it had expanded its scope beyond the Middle East and was actively targeting industrial firms in other regions, including North America.

While the Trisis attack disrupted the Saudi Arabian facility, it did not succeed in causing an explosion. Still, in an interview during RSA Conference 2018, Dragos CEO Robert Lee said that whoever developed the Trisis malware had clear intentions. "Whoever designed that capability was intending to kill people," he told SearchSecurity. "That should upset everybody around the world."

Lee reiterated those thoughts today via Twitter, saying, "XENOTIME is the only threat to have crossed the line to have ever tried to kill someone (TRISIS targeted safety systems). It's serious."

Despite the seriousness, Lee Tweeted there was no reason to "freak out" and advised organizations to take the proper precautions. The Dragos report offered several recommendations to ICS organizations, starting with improving the visibility into their environments by identifying assets and monitoring ICS network activity through logs and process-specific data.

Slowik echoed Lee's sentiment about the latest ICS threats. "We're looking at a sequence of events that are not indicative of an impending attack, but we know Xenotime is at least interested in meeting the prerequisites to commit such an attack in the future," he said. "We shouldn't be shouting 'The end is nigh!' because an attack is imminent because it's not, but I'd say we are getting closer, so organizations should take the time to address this threat."

Next Steps

Dragos: ICS security threats grew threefold in 2020

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing