On the scale of security threats, hackers scanning poten­tial targets for vulnerabilities might seem to rank rather low. But when it's the same hackers who previously executed one of the most reckless cyberattacks in history—one that could have easily turned destructive or even lethal—that recon­nais­sance has a more foreboding edge. Especially when the target of their scanning is the US power grid.

Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these hackers, known as Xenotime—or sometimes as the Triton actor, after their signature malware—have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime "easily the most dangerous threat activity publicly known."

There's no sign that the hackers are anywhere near triggering a power outage—not to mention a dangerous physical accident—in the US. But the mere fact that such a notoriously aggressive group has turned its sights on the US grid merits attention, says Joe Slowik, a security researcher at Dragos who focuses on industrial control systems and who has tracked Xenotime.

Xenotime has probed the networks of at least 20 different US electric system targets.

"Xenotime has already proven itself willing not only to act within an industrial environment, but to do so in a quite concerning fashion, targeting safety systems for potential plant disruption and at minimum accepting the risk that disruption could result in physical damage and even harm to individuals," Slowik told WIRED. Xenotime's scans of the US grid, he adds, represent initial baby steps toward bringing that same sort of destructive sabotage to American soil. "What concerns me is that the actions observed to date are indicative of the preliminary actions required to set up for a future intrusion and potentially a future attack."

According to Dragos, Xenotime has probed the networks of at least 20 different US electric system targets, including every element of the grid from power generation plants to transmission stations to distribution stations. Their scanning ranged from searching for remote login portals to scouring networks for vulnerable features, such as the buggy version of Server Message Block exploited in the Eternal Blue hacking tool leaked from the NSA in 2017. "It's a combination of knocking on the door and trying a couple of doorknobs every once in a while," says Slowik.

While Dragos only became aware of the new targeting in early 2019, it traced the activity back to mid-2018, largely by looking at the targets' network logs. Dragos also saw the hackers similarly scan the networks of a "handful" of power grid operators in the Asia-Pacific region. Earlier in 2018, Dragos had reported that it saw Xenotime targeting about half a dozen North American oil and gas targets. That activity consisted largely of the same sort of probes seen more recently, but in some cases it also included attempts to crack the authentication of those networks.

While those cases cumulatively represent an unnerving diversification of Xenotime's interests, Dragos says that only in a small number of incidents did the hackers actually compromise the target network, and those cases occurred in Xenotime's oil and gas targeting rather than its more recent grid probes. Even then, according to Dragos' analysis, they never managed to expand their control from the IT network to the far more sensitive industrial control systems, a prerequisite to directly causing physical mayhem like a blackout or planting Triton-style malware.