In a new troubling escalation, hackers behind at least two potentially fatal intrusions on industrial facilities have expanded their activities to probing dozens of power grids in the US and elsewhere, researchers with security firm Dragos reported Friday.

The group, now dubbed Xenotime by Dragos, quickly gained international attention in 2017 when researchers from Dragos and the Mandiant division of security firm FireEye independently reported Xenotime had recently triggered a dangerous operational outage at a critical-infrastructure site in the Middle East. Researchers from Dragos have labeled the group the world's most dangerous cyber threat ever since.

The most alarming thing about this attack was its use of never-before-seen malware that targeted the facility’s safety processes. Such safety instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. When gas fuel pressures or reactor temperatures rise to potentially unsafe thresholds, for instance, an SIS will automatically close valves or initiate cooling processes to prevent health- or life-threatening accidents.

Proliferating across sectors

In April, FireEye reported that the SIS-tampering malware, known alternately as Triton and Trisis, was used in an attack on another industrial facility

Now, Dragos is reporting that Xenotime has been performing network scans and reconnaissance on multiple components across the electric grids in the US and in other regions. Sergio Caltagirone, senior VP of threat intelligence at Dragos, told Ars his firm has detected dozens of utilities—about 20 of them located in the US—that have been subjected to Xenotime probes since late 2018. While the activities indicate only an initial exploration and there’s no evidence the utilities have been compromised, he said the expansion was nonetheless concerning.

“The threat has proliferated and is now targeting the US and Asia Pacific electric utilities, which means that we are no longer safe thinking that the threat to our electric utilities is understood or stable,” he said in an interview. “This is the first signal that threats are proliferating across sectors, which means that now we can’t be certain that a threat to one sector will stay in that sector and won’t cross over.”

The probes come in multiple forms. One is credential-stuffing attacks, which use passwords stolen in earlier, sometimes unrelated breaches in hopes they will work against new targets. Another is network scans, which map and catalog the various computers, routers, and other devices connected to it and list the network ports they receive connections on.

“The scale of the operation, the number targeted and the regions being targeted,” Caltagirone said, “shows more than just a passing interest in the sector.”

The first-reported attack, which E&E News reported in March, targeted Saudi Arabian oil refinery Petro Rabigh and an SIS product line known as Triconex made by Schneider Electric. An analysis of the Triton malware showed its developers have performed extensive reverse engineering of the product. The SIS targeted in the attack shut down operations when it experienced an error that occurred as the hackers were performing reconnaissance on the facility. Although the hackers were likely seeking the ability to cause physical damage inside the facility, the November shutdown was likely an accident.

Less is known about the Xenotime intrusion on the second critical facility. It’s still not clear, for instance, if it also targeted a Triconex SIS or whether it resulted in an outage or unsafe conditions.

Select group

So far no one knows for sure who Xenotime is. Initial suspicions pointed to hackers working on behalf of Iran. Last October, FireEye assessed with high confidence that Triton was developed with the help of the Central Scientific Research Institute of Chemistry and Mechanics in Moscow . Russia has been tied to other critical infrastructure attacks, including one in December 2015 on regional power authorities in Ukraine that left hundreds of thousands of people in the Ivano-Frankivsk region of Ukraine without electricity. That attack represented the first known hacker-caused power outage. And almost exactly one year later, a second hack tied to Russia took out power in Ukraine again

Whoever is behind Xenotime, the group's demonstrated ability to cause physical destruction puts it in a group of threat actors that so far is known to include only four others. In a post published on Friday Dragos researchers wrote:

While none of the electric utility targeting events has resulted in a known, successful intrusion into victim organizations to date, the persistent attempts, and expansion in scope is cause for definite concern. XENOTIME has successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals. Specifically, XENOTIME remains one of only four threats (along with ELECTRUM, Sandworm, and the entities responsible for Stuxnet) to execute a deliberate disruptive or destructive attack. XENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes. Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission. XENOTIME’s expansion to another industry vertical is emblematic of an increasingly hostile industrial threat landscape. Most observed XENOTIME activity focuses on initial information gathering and access operations necessary for follow-on ICS intrusion operations. As seen in long-running state-sponsored intrusions into US, UK, and other electric infrastructure, entities are increasingly interested in the fundamentals of ICS operations and displaying all the hallmarks associated with information and access acquisition necessary to conduct future attacks. While Dragos sees no evidence at this time indicating that XENOTIME (or any other activity group, such as ELECTRUM or ALLANITE) is capable of executing a prolonged disruptive or destructive event on electric utility operations, observed activity strongly signals adversary interest in meeting the prerequisites for doing so.

Xenotime’s expansion into power utilities was first reported by E&E News and Wired, which cited a slide published by E-ISAC, a part of the North American Electric Reliability Corporation. The slide noted that Dragos detected Xenotime "performing reconnaissance and potential initial access operations" against North American grid targets, and it notes that the E-ISAC "tracked similar activity information from electricity industry members and government partners." Dragos went public with its findings once it got inquiries about the slide.