Xenotime hackers target electric utilities

Xenotime hackers target electric utilities

A hacker group known for intrusions against oil and gas facilities is now expanding attacks against the electric utility sector.

The sophisticated hacker group dubbed Xenotime has been scanning dozens of power grid targets in the US and Asia-Pacific regions, according to a recent Dragos report. The activity is troubling given the bad actors are likely probing for industrial control system (ICS) weaknesses in preparation for future cyber attacks against critical infrastructure.

Consequently, security company Dragos issued a dire warning of a proliferation in ICS threats.

“More capable adversaries are investing heavily in the ability to disrupt critical infrastructure like oil and gas, electric power, water, and more,” Dragos added.

Trisis and Triton malware attacks

In November of 2017, Dragos discovered the same group used Trisis malware to infiltrate one entity in the Middle East. In that attack, actors used Trisis to target the victim’s Schneider Electric’s Triconex safety instrumented system (SIS).

In addition, FireEye’s Mandiant group independently spotted similar malware activity in late 2017 against a critical infrastructure organization. In that report, Mandiant said the attackers developed malware they dubbed Triton to inflict physical damage against its critical infrastructure targets and also shutdown operations.

Mandiant also added the malware activity was “consistent with a nation state preparing for an attack.”

It is noteworthy that Xenotime is now one of four malware threats designed to execute deliberate or destructive attacks against critical infrastructure. The other three notable threats include Electrum, Sandworm and Stuxnet.

Response and recovery safeguards

To help guard against future threats, Dragos said ICS operators should focus on response and recovery efforts. For instance, organizations should identify vendor contacts needed for support of specialized equipment. Also, entities should have solid incident response capabilities.

Furthermore, operators should maintain integrity or “known-good configuration” of systems and processes. That way, entities can rapidly recover systems and services in the event of a breach.

Finally, Dragos recommends companies identify operational workarounds as needed to maintain known-good and safe production or generating capability.

The Xenotime threat is yet another wake-up call for critical infrastructure organizations to harden their cyber security defenses.