US power grid probed by Russian-linked hacker group
17 June 2019
A Russian-linked hacking group has been probing the US power grid network in search of weaknesses, according to security experts. The hacking group, ‘Xenotime’, is the same group which used its 'Triton' malware in an attempt to sabotage a Saudi petrochemical plant in 2017.
Representative image: Shutterstock
The non-profit Electric Information Sharing and Analysis Center (E-ISAC) and Dragos, a critical infrastructure security firm, have warned that Xenotime has been targeting US electric utilities and attempting network intrusions over the past few months. The probing suggests that the hacking group has expanded its scope from just the oil and gas sector to now include electrical utilities in the US and possibly elsewhere.
Using malware called Triton, Xenotime is thought to be behind an attempted cyber-attack on a Saudi petrochemical plant in 2017, the second time the malware had been found in a Saudi facility. Despite the sophistication of the attack, the 2017 attempt failed due to a bug in the malware’s code.
Although there has been no sign of any successful attempts at infiltrating the US power grid, experts are still worried by the probing due to Xenotime’s history of gaining access to targets. In a blog post by Dragos, the security firm labelled Xenotime as “the most dangerous threat to ICS [industrial control systems]”.
Dragos says that the probing of US utility organisations began in late 2018 and that Xenotime has been using similar methods to the ones it used in its attacks against the oil and gas sector.
The blog post by Dragos emphasises that there have been no reports of successful intrusion, but the “persistent attempts, and expansion in scope is cause for definite concern”.
Dragos says that Xenotime is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes. “Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft”, the company said.
The change of interest from oil and gas to electrical utilities is particularly worrying due to Xenotime’s “willingness to compromise process safety – and thus integrity – to fulfill its mission”, added Dragos. A successful cyber-attack on an electrical utility could cause long-term blackouts and a myriad of issues for emergency services, power plants, water treatment plants and many other key facilities.
Dragos has made a number of defensive recommendations and called on asset owners and operators to immediately begin planning for response and recovery scenarios relating to a loss of SIS integrity. Given Xenotime's willingness to execute a fundamental attack on process safety, Dragos believes that cross-geography and cross-industry collaboration is critical to defend critical infrastructure and lives.
It is thought that Xenotime may have been operating since as early as 2014. Following research in 2018, cybersecurity firm FireEye assessed with "high confidence" that the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a Russian government-owned technical research institution located in Moscow, was involved.