XENOTIME, a cyberthreat activity group thought responsible for TRISIS/TRITON malware attacks on safety instrumented systems (SIS) at an oil and gas Middle Eastern facility in 2017, has been probing power company networks in the U.S. and elsewhere, new intelligence from industrial control systems (ICS) security firm Dragos shows.
"In February 2019, Dragos identified a change in XENOTIME behavior: starting in late 2018, XENOTIME began probing the networks of electric utility organizations in the U.S. and elsewhere using similar tactics to the group's operations against oil and gas companies," the company said in a June 14 blog.
The threat was detected by Dragos Platform customers, which "have detections for XENOTIME, as the product receives these and other threat behavior detection updates regularly," it said. While no power sector targeting events have resulted in a "known, successful intrusion into victim organizations to date, the persistent attempts, and expansion in scope is cause for definite concern," said Dragos.
The discovery is alarming to Dragos. Sergio Caltagirone, vice president of Threat Intelligence at Dragos, on Friday told POWER: "Offensive government programs worldwide are placing more emphasis and resources into attacking and disrupting industrial processes like oil, power, and water. This means more attacks are coming. People will die, we just don't know when."
A Dangerous Adversary
Dragos considers XENOTIME the "most dangerous threat to ICS," and it warns that the expansion by the group, which is already active in the oil and gas and manufacturing sectors, "illustrates a trend that will likely continue for other ICS-targeting adversaries." The development shows that ICS cyber threats are "proliferating," it said.
Of specific concern is XENOTIME's ability to target SIS for disruptive or destructive purposes. A SIS is an autonomous control system that independently monitors the status of the process under control. SIS essentially brings processes that exceed parameters (and define a hazardous state such as over-pressurization, overspeed, and overheating) back into a safe state, or it automatically functions to safely shutdown the process.
"Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft," Dragos noted. "XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary's willingness to compromise process safety–and thus integrity–to fulfill its mission."
It added: "While Dragos sees no evidence at this time indicating that XENOTIME (or any other activity group, such as ELECTRUM or ALLANITE) is capable of executing a prolonged disruptive or destructive event on electric utility operations, observed activity strongly signals adversary interest in meeting the prerequisites for doing so."
Increased Activity Since the 2017 TRITON/TRISIS Attack
Cybersecurity firm FireEye and Dragos were the first to publicly expose a destructive TRITON/TRISIS malware attack that reportedly occurred in October 2017 at a Petro Rabigh facility, on the west coast of Saudi Arabia. Their reports in December 2017 prompted wide alarm among ICS security professionals because the attack targeted Schneider Electric's Triconex SIS and "inadvertently caused a process shutdown," as FireEye said.
FireEye and other experts have consistently warned that TRITON is an especially insidious attack framework because it is designed and deployed to modify application memory on SIS controllers to prevent them from functioning correctly, increasing the likelihood of a failure and other physical consequences. "The TRITON intrusion is shrouded in mystery," FireEye noted, however.
FireEye pinned deployment of TRITON in the 2017 attack to a Russian government-owned technical research institute in Moscow. In May 2018, Dragos gave the threat group a name: "XENOTIME."
Since the 2017 attack, XENOTIME has compromised "several ICS vendors and manufacturers in 2018, providing potential supply chain threat opportunities and vendor-enabled access to target ICS networks," Dragos has warned.
This April, FireEye alerted industry of new intrusion activity at a "critical infrastructure facility." But while Dragos confirmed the activity was carried out by XENOTIME, it said the incident did not involve TRITON/TRISIS. However, at the time, Joe Slowik, an adversary hunter at Dragos told POWER that the group "remains active in the oil and gas and other ICS sectors, in addition to having a persistent interest in ICS OEMs and manufacturers."
On Friday, Dragos said activity targeting clients across various utilities and regions was first detected in February 2019. The company has since identified a "persistent pattern of activity attempting to gather information and enumerate network resources associated with U.S. and Asia-Pacific electric utilities," it said.
"This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion," it warned. The activities are consistent with Stage 1 ICS Cyber Kill Chain reconnaissance and initial access operations, including observed incidents of attempted authentication with credentials and possible credential "stuffing," or using stolen usernames and passwords to try and force entry into target accounts, it said.
Defense and Control
According to Caltagirone, proactivity will be crucial. "Industrial control system owners and operators need to establish an authoritative understanding of their environments and begin searching for threat behaviors now, while preparing responses for the inevitable," he said. "Utilities, companies, and governments must work cooperatively around the world and across industrial sectors to jointly defend lives and infrastructure from the increasing scope and scale of offensive critical infrastructure cyberattacks."
Dragos has urged asset owners and operators across ICS "to be aware of XENOTIME's tactics, techniques, and procedures, and consider using an ICS-specific detection capability like the Dragos Platform while also implementing defensive recommendations."
In a list of defensive actions owners and operators could take, it also recommended leveraging all available information sources–from IT-like observations to process-specific impacts–to gain a "a complete view of ICS network operations enabling informed response and root cause analysis of industrial incidents."
Asset owners and operators must begin planning "now" for response and recovery scenarios related to a loss of SIS integrity. Specific actions could include:
- Identify vendor contacts for support and analysis on specialized equipment not amenable to standard IT-based investigation techniques
- Have appropriate incident response capabilities either in-house or on call
- Maintain known-good configuration and process data both for comparison to possible compromised devices, and to enable rapid recovery in the event of a breach
- Identify operational workarounds to maintain known-good, known-safe production or generating capability.
Finally, it urged policymakers and corporate risk managers to note that cross-geography and cross-industry collaboration is "critical."
"Critical infrastructure cannot be siloed as the threat is operating across verticals and may even use one against the other; for instance, targeting electric to deny power to an oil refinery," it said. "Utilities, companies, and governments must work cooperatively around the world and across industrial sectors to jointly defend lives and infrastructure from the increasing scope and scale of offensive critical infrastructure cyber-attack."
–Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine).