Hackers behind the Trisis malware attack in 2017 that sparked a dangerous operational outage at a critical infrastructure facility in the Middle East are now eyeing electric grids in the U.S. and other regions, a recent report said.
The Xenotime crew, one of only a handful of cyber attackers capable of hitting industrial safety networks -- systems used by critical infrastructure plants to monitor safety conditions -- last year began reconnaissance missions into electric utility operations using the same tactics as it did against oil and gas companies, industrial cybersecurity specialist Dragos said in a blog post. The company’s researchers first noticed Xenotime’s expansion moves last February.
Dragos did not mince words in describing Xenotime’s threat to the electric grid. “Xenotime is the only known entity to specifically target safety instrumented systems for disruptive or destructive purposes,” the Hanover, Maryland-based Dragos wrote. “Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. Xenotime expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.”
Launching attacks against the industrial sector is no small matter. It requires significant resources, Dragos said, which winnows the number of potential attackers down to a scant few. However, as more hackers see the value and interest in targeting critical infrastructure, and gain from doing so, the threat will increase. Indeed, in recent months security defenders’ warnings have grown louder about the threat to industrial controls systems. Two months ago, security provider Kaspersky said that nearly half of the ICS computers it protects were hit by distributed malware attacks last year.
So far, none of Xenotime’s forays into the electric grid have produced any successful intrusion into victim organizations. But with persistent attempts, the group’s expanded scope is definitely a concern, Dragos said.
Xenotime’s expansion to another industrial vertical signals an increasingly “hostile industrial threat landscape,” Dragos said. Right now, as far as Dragos can tell, Xenotime is in the information gathering stage to assess what it will take to conduct future attacks. The capability isn’t there yet to hit the electric grid, but that won’t last, Dragos said. There’s no evidence at this time “indicating that Xenotime or any other activity group, such as Electrum or Allanite, is capable of executing a prolonged disruptive or destructive event on electric utility operations, observed activity strongly signals adversary interest in meeting the prerequisites for doing so.”
In other words, just wait, it’s coming. Here’s what Dragos has to say about that:
On asset identification and environmental awareness. Industrial control system (ICS) asset owners and operators across all industries must prepare for potential breach and disruption scenarios. The most important thing a security team can do is improve visibility and awareness of ICS network activity.
On threat behavior detection. ICS-specific threat intelligence can also be leveraged to identify unique threat behavior patterns, evolving adversary methodology, and specific conduct.
On investigation, response, and recovery. When investigating or detecting ICS-specific intrusions and manipulation for hostile purposes, defenders must leverage all available information sources — from IT- like observations to process-specific impacts.
Specific items relating to response and recovery which can be immediately implemented include:
- Identify vendor contacts for support and analysis on specialized equipment not amenable to standard IT-based investigation techniques.
- Have appropriate incident response capabilities either in-house or on call.
- Maintain known-good configuration and process data both for comparison to possible compromised devices, and to enable rapid recovery in the event of a breach.
- Identify operational workarounds to maintain known-good, known-safe production or generating capability.
- Irrespective of how an organization addresses these questions, ICS operators must address such concerns in advance, rather than trying to figure out such sensitive, complex items mid- or post-intrusion.
Here’s what Dragos concluded:
“Dragos emphasizes that the observed behavior is an expansion, a proliferation of the threat, and not a shift – oil and gas entities must still grapple with this adversary’s activity. While unfortunate, the expansion should serve as a clear signal to ICS operators – not only in oil and gas or electric utility operations – that the time to plan, implement, and enforce security standards and response processes in industrial environments is now.”
