Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon

Xenotime, hacker group behind oil and natural gas sites are now targeting US power grids

Save for later
  • 5 min read
  • 24 Jun 2019

article-image

Researchers from the security firm Dragos reported on Friday that a group of hackers behind two potentially fatal intrusions in industrial facilities have expanded its activities to investigate dozens of electricity grids in the US and other regions.

The group, known as Xenotime, had gained attention in 2017 when researchers from Dragos and cyber-security firm FireEye independently reported about Xenotime causing dangerous operational disruption at a critical infrastructure site in the Middle East, reports Ars Technica. Researchers from Dragos have called the group the most dangerous cyber threat in the world since then.

According to Bloomberg, FireEye Inc. has linked the group to a research institution in Moscow owned by the Russian government, called the Central Scientific Research Institute of Chemistry and Mechanics. Xenotime is one of the few groups in the world to use malware tailored to industrial control systems, said Benjamin Read, a FireEye senior manager.

The most alarming of this group is the use of malware which was never seen before in the security processes of the installation. Such security instrumented systems are a combination of hardware and software that many critical infrastructure sites use to prevent unsafe conditions from arising. For example, when the gas fuel pressure or reactor temperature increases to potentially unsafe thresholds, a SIS will automatically close the valves or initiate cooling processes to avoid accidents that endanger life.

In April, FireEye reported that the SIS manipulation malware, alternatively known as Triton and Trisis, was used in an attack at another industrial facility.

Proliferation of threats in different sectors


Dragos also reported that Xenotime has been conducting network scans and recognition of multiple components through power grids in the United States and other regions. Sergio Caltagirone, senior vice president of threat intelligence at Dragos, told Ars Technica that his firm has detected dozens of public services, some of them located in the United States, which have been subjected to Xenotime surveys from 2018.

"The threat has proliferated and is now targeting electric companies in the US and Asia Pacific, which means that we are no longer safe thinking that the threat to our electrical utilities are understood or stable ", He said in an interview: "This is the first sign that threats are proliferating in all sectors, which means that now we can not be sure that a threat to the sector will remain in that sector and will not cross." Probes can come in multiple forms, one of them is credential filler attacks, which use passwords stolen in previous infractions, sometimes unrelated, in the hope that they will work against new targets. Another is network exploration, which maps and catalogs the different computers, routers and other devices connected to it and lists the network ports in which they receive the connections.

"The scale of the operation and the regions it addresses, "Caltagirone said," shows more than a passing interest in the sector. "

In a publication published on Friday, Dragos researchers wrote:

“While none of the events of the electric utility company resulted in a known and successful intrusion into victim organizations to date, persistent attempts and the expansion in scope are cause for ultimate concern. Xenotime has successfully engaged several oil and gas environments, demonstrating its ability to do so in other vertical markets. Specifically, Xenotime remains one of four threats (along with electrum, sandworm and the entities responsible for stuxnet) to execute a deliberate disruptive or disruptive attack.

Xenotime is the only known entity specifically aimed at instrumented safety systems (sis) for disruptive or destructive purposes. The electrical service environments are significantly different from oil and gas operations in several aspects, but electrical operations still have safety and protection equipment that could be directed with similar vessels. Xenotime, which expresses a direct and constant interest in the operations of the electric company, is a cause for deep concern, given the willingness of this adversary to compromise the security of the process, and therefore the integrity, of fulfilling its mission.

The expansion of Xenotime to another vertical industry is emblematic of an increasingly hostile industrial industry. The most observed Xenotime activity focuses on the collection of initial information and access operations necessary for ICS tracking intrusion operations. As seen in the long-term intrusions sponsored by the state in the US, UU, the United Kingdom and other electrical infrastructure, entities are increasingly interested in the fundamental aspects of ICS operations and show all the badges associated with the information and acquisition of access necessary to carry out future attacks.

While Dragos does not see evidence at this time to indicate that Xenotime (or any other activity group, such as electrum or allanite) is capable of executing a prolonged disruptive or disruptive event in the operations of the electric company, the observed activity shows a strong the adversary's interest in meeting the prerequisites for doing so.”

This news has brought anxiety among cyber security folks on Reddit comments, “it's time to develop disconnected micro grids”. Another user comments, “Or just do security correctly. Much of the utility infrastructure in the country does not align with best practices or published standards.”

To know more about this, check out the official research page of Dragos.

Over 19 years of ANU(Australian National University) students’ and staff data breached

Symantec says NSA’s Equation group tools were hacked by Buckeye in 2016 way before they were leaked by Shadow Brokers in 2017

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime

How not to get hacked by state-sponsored actors