Xenotime Group Sets Sights on Electrical Power PlantsDragos: Trisis Malware Creator Moves Beyond Oil and Gas Industry
Xenotime, a threat group that had previously focused on targets in the oil and gas industry, is shifting its focus to electrical power plants and utilities, creating new challenges for security teams charged with protecting industrial control systems, security firm Dragos reports.
See Also: 2021: A Cybersecurity Odyssey
This shift from the oil and gas sector to electrical plants is recent, with researchers first taking note of the change in February. Additionally, investigators find that Xenotime had its sights set on targets in the U.S. as well as the Asia-Pacific region, Dragos reports in a research note released Friday.
So far, it does not appear that the Xenotime group has successfully conducted a full-scale operation against one of these electrical plants, but its behavior since February shows that the group is preparing for a full-scale intrusion of the industrial control systems that control these power plants, the Dragos research finds.
"At present, Dragos cannot determine what Xenotime's ultimate goal is in surveying U.S. electric sector targets," Joe Slowik, an adversary hunter at Dragos, tells Information Security Media Group.
"Given that Xenotime is one of a small number of entities that have proven both willing to and capable of launching a physically disruptive attack in ICS environments, our assessment at present is that Xenotime seeks sufficient knowledge and access in utility networks to enable a potential future electric utility disruptive event, potentially including physical destruction," Slowik adds.
Dragos declined to identify who might have built or used the malware.
The Dragos analysis of Xenotime's new goals comes as The New York Times on Saturday reported that the U.S. military is starting to increase the number of online incursions into Russia's electrical grid system that have the potential to disrupt power in that country.
New Type of Threat
The ability to use malicious code to successfully disrupt industrial control systems, which run the technology used in advanced manufacturing, pharmaceuticals, electricity generation, oil and gas, and power plants, is relatively new because it takes significant technical know-how, along with money and time, to develop such attacks (see: How Triton Malware Targets Industrial Control Systems).
Although some threat groups have tried previously to attack these systems, the game changed in 2017, when an oil and gas firm in Saudi Arabia was hit by malware referred to as either Trisis or Triton, according to security researchers.
In this case, the malicious code targeted the facility's Triconex Safety Instrumented System controllers, which are developed by Schneider Electric, according to research released by FireEye, which worked jointly with Dragos to study the incident.
These Safety Instrumented System controllers are designed as a safety control for the critical machinery within these industrial facilities. Interference with these controllers could cause massive damage to a plant or trigger a complete shutdown. However, the 2017 incident in Saudi Arabia failed after the attackers made a series of mistakes, according to FireEye and other security analysts.
There are several reasons why power plants and electrical grids have become more susceptible to malware such as Trisis or Triton, says Nathan Wenzler, the senior director of cybersecurity at Moss Adams, a Seattle-based accounting, consulting and wealth management firm. In many cases, these facilities have started connecting previously air-gapped systems to the public internet in order to embrace technologies such as the internet of things (see: Espionage Malware Penetrates Air-Gapped Networks).
These operational IT networks are now looking more and more like traditional IT networks, with industrial companies embracing the same types of software and services used in enterprises, Wenzler says.
"Culturally speaking, these companies are used to working in environments which are isolated, air-gapped and totally self-contained," Wenzler tells ISMG. "Now, they're internet-enabled to allow remote monitoring and management to give that real-time single pane of glass view on operations, which increases efficiency and response time. Which sounds good, but it also introduces all of the cyberattack challenges that come along with this kind of technology. And if you're an organization which has never had to deal with that problem, or has built entire operations processes around the notion that your systems would be fully isolated from the outside world, this is going to be a massive change to how you do business and will create a culture shock for many involved."
Although the Dragos research finds that Xenotime is likely the group responsible for the incident in Saudi Arabia, it's not clear whether the attackers have developed the ability to pull off another larger-scale, industrial attack within an electrical power plant.
Security researchers, however, are still learning about Xenotime and its motives.
In 2018, FireEye published a second report about the Trisis or Triton malware, connecting it to the Moscow-based Central Scientific Research Institute of Chemistry and Mechanics, a government-owned research and technical facility. That research note, however, does not use the name Xenotime to identify the group behind this particular strain malware.
In its new research report, Dragos does not tie the group to a particular country. But Slowik tells ISMG that in order to pull off a sophisticated attack against a power plant, Xenotime would need the backing of a nation-state, especially when it comes to funding and resources.
"Xenotime has proven capable of likely acquiring, reverse engineering, and developing attack packages for industrial control system equipment - all steps requiring a level of effort and resources typically beyond the reach of independent entities, but more often found in laboratories or other state-sponsored activity," Slowik says. "Given the group's demonstrated capability, Xenotime almost certainly draws on some level of state support."
Method of Attack
The exact techniques that Xenotime uses are still being investigated, but Dragos says that in some cases, it appears the group is attempting to use stolen administrative passwords and credentials to start the reconnaissance phase and begin mapping the network.
This type of brute-force credential stuffing technique is also being used by other groups to target these type of industrial networks, Slowik says.
"Dragos has identified a persistent trend among all ICS-targeting entities where adversaries focus on credential capture and re-use to facilitate both initial network access and lateral movement, including within the ICS environment," Slowik tells ISMG. "This approach is beneficial as it avoids the potential 'noise' and disruption of exploits while also allowing an attacker to 'blend in' with legitimate traffic. This same trend has played out in IT-based intrusions as well, but is especially prevalent in ICS intrusions due to password reuse and items such as hard-coded vendor passwords on certain systems."
For the operators of these electrical plants, Slowik recommends increasing visibility into the types of industrial control systems they are using.
"The main step that ICS asset owners and operators can take to improve security is to increase visibility into ICS networks and related processes, while also building in the ability to detect, respond, and recover from intrusions," Slowik adds.