Vittorio Zunino Celotto/Getty Images
show image

Xenotime: hackers behind Triton malware turn to power grids

In August 2017, a group of hackers turned their sights to an oil refinery on the west coast of Saudi Arabia. Having already infiltrated the facility’s industrial control system (ICS), they sabotaged its safety equipment before triggering an emergency shutdown, reportedly by accident.

That disaster was averted due to the carelessness of the perpetrators did little to reassure observers. The attack was carried out using a strain of malware called Triton by a threat group known as Xenotime. It is regarded as one of the most dangerous hacker groups operating today.

Following the incident, Xenotime has been caught probing oil and gas companies across Europe and North America in search of vulnerabilities ripe for exploitation. Now, new research from the infrastructure security vendor Dragos suggests the group has expanded its scope to electricity companies in the US and Asia-Pacific.

According to the research, Xenotime has been observed attempting to gather information and assess the number of network resources deployed at the plants. “This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion,” Dragos said in a blogpost.

Dragos researchers added that the “activities are consistent with Stage 1 ICS Cyber Kill Chain reconnaissance and initial access operations including observed incidents of attempted authentication with credentials and possible credential ‘stuffing,’ or using stolen usernames and passwords to try and force entry into target accounts”.

Sam Curry, chief security officer at Cybereason explained that electricity companies are an appealing target for hackers without a financial motive. “Those who aren’t profit minded either want splash, and electrical power is showy; or they want options for the extension off politics by other means. However you slice it, the electrical grid is attractive to hackers.”

Xenotime’s latest behaviour should come as no surprise, according to Tenable’s chief technology officer Renaud Deraison. “The on-going threats to operational technology (OT) and critical infrastructure are no longer theoretical, they have become our new reality,” said Deraison. “This is, in part, due to the convergence of IT and OT which has connected once-isolated OT systems to the outside world, exposing them to a variety of potential attacks.”

“While reports indicate these latest attacks didn’t result in a successful intrusion, this should be a stark wake up call for organisations everywhere.”