Experts at Dragos firm reported that Xenotime threat actor behind the 2017 Trisis/Triton malware attack is targeting electric utilities in the US and APAC.

Xenotime threat actor is considered responsible for the 2017 Trisis/Triton malware attack that hit oil and gas organizations.

In December 2017, the Triton malware (aka Trisis) was discovered by researchers at FireEye, it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

In October 2018, FireEye experts discovered a link between the Triton malware, tracked by the company as TEMP.Veles, and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), that is a Russian government research institute in Moscow.

Now, according to security firm Dragos, the group is targeting electric utilities in the United States and the Asia-Pacific (APAC) region.

“In February 2019, while working with clients across various utilities and regions, Dragos identified a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities.” reads a blog post published by Dragos.

“This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion.”

Xenotime has been active since at least 2014, its activity was discovered in 2017 after it caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

The group used a piece of malware known as Trisis, Triton and HatMan, and it targeted Schneider Electric’s Triconex safety instrumented systems (SIS) through a zero-day vulnerability. The attack was discovered after a SIS triggered a shutdown of some industrial systems, which experts believe hackers caused by accident.

Dragos experts revealed that the attacks against entities in the United States and the APAC region were similar to ones that targeted organizations in the oil and gas sector. The good news is that all the attacks carried out by the Xenotime group failed into breaching the targeted organization.

“The activities are consistent with Stage 1 ICS Cyber Kill Chain reconnaissance and initial access operations, including observed incidents of attempted authentication with credentials and possible credential ‘stuffing,’ or using stolen usernames and passwords to try and force entry into target accounts.” continues the report.

Dragos warns that Xenotime poses a serious threat to electric utilities that uses ICS-SCADA systems similar to the ones in the oil and gas industries.

“Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission.” continues the experts.

Dragos presented research on Xenotime at SecurityWeek’s 2018 ICS Cyber Security Conference held in Atlanta, below the video of the presentation:

“Dragos emphasizes that the observed behavior is an expansion, a proliferation of the threat, and not a shift – oil and gas entities must still grapple with this adversary’s activity.” concludes Dragos. “While unfortunate, the expansion should serve as a clear signal to ICS operators – not only in oil and gas or electric utility operations – that the time to plan, implement, and enforce security standards and response processes in industrial environments is now.”

Pierluigi Paganini