Security Market Segment LS
Saturday, 15 June 2019 10:58

Sec firm Dragos warns of threat group targeting electricity utilities Featured

By
Sec firm Dragos warns of threat group targeting electricity utilities Pixabay

Industrial security intelligence provider Dragos has issued a warning about a threat group it has baptised Xenotime, which it says has expanded its field of operations from the oil and gas industry to now also target electricity utilities in the US.

A blog post issued by the company, which is headed by former NSA hacker Robert M. Lee, said it had identified this shift in behaviour in February and that the change of tactics had been in evidence since late 2018.

The Xenotime group was claimed to be behind an attack in August 2017 on an oil facility owned by Saudi Arabia's Aramco; the attack was outlined by another security firm, FireEye, in December that year without naming the company or the country.

The malware used was named Triton by FireEye because it attacks a safety system known as Triconex which is made by Germany's Schneider Electric and used globally. Triton is built to interact with Triconex Safety Instrumented System controllers and prevents emergency shutdown of such systems.

FireEye said in April this year that it had encountered a second instance of Triton being used, but again did not specify where or what the target was. But FireEye, which has a reputation for not backing away from attribution, has claimed in the past that Triton is linked to a Russian Government-owned research institute.

The Dragos blog post was backed up by a report in EENews which said that the North American Electric Reliability Corporation had spoken to the firm in March this year in an alert sent to a select group.

The alert is claimed to have said that Xenotime had been hitting American electricity utilities with "reconnaissance and potential initial access operations" since late 2018. Its source was not provided, but was evident.

Dragos claimed to have identified "a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities" in the course of working with its clients in various regions.

Thus far, there have been only one case globally where a successful attack has been carried on public utilities, this being on the electricity grid in Ukraine which has been claimed to have been carried out by Russian groups.

Numerous other claims of so-called "cyber attacks" on various utilities have been filed by various websites but have been debunked, many of them by the group Cyber Squirrel, which keeps track of such incidents and does not balk from publishing the truth.

While the Dragos post was for the most part sober, the company did not hesitate to use it to try and drum up more business, writing "Dragos Platform customers have detections for XENOTIME, as the product receives these and other threat behaviour detection updates regularly".

It also advised businesses to "consider using an ICS-specific detection capability like the Dragos Platform".

Independent researchers have, in the past, dismissed attempts to dial up the fear index based on such attempts as those detailed by Dragos, with one telling iTWire that such probes were "meant to demonstrate capabilities, while offering no real threat to the distributed US energy grid".

Commenting on the threat, Renaud Deraison, the chief technology officer and co-founder of security firm Tenable, said: "The latest reports that Xenotime is targeting electric utilities in the US and Asia-Pacific region should come as no surprise, but certainly warrants concern.

"The ongoing threats to operational technology and critical infrastructure are no longer theoretical, they have become our new reality. This is, in part, due to the convergence of IT and OT which has connected once-isolated OT systems to the outside world, exposing them to a variety of potential attacks. While reports indicate these latest attacks didn’t result in a successful intrusion, this should be a stark wake up call for organisations everywhere."

Deraison pointed out that an independent study, conducted by the Ponemon Institute on behalf of Tenable, had found that 90% of organisations reliant on OT systems had experienced at least one damaging cyber attack over the past two years and 62% had two or more.

"These attacks resulted in data breaches and/or significant disruption and downtime to business operations, plants and operational equipment," he said.

"The convergence of these two worlds has left OT in the purview and responsibility of CISOs. This means the IT and OT silos must be broken down and replaced with a single pane of glass to identify where organisations are exposed and to what extent. This is an important step in reducing the chances of mission- and safety-critical systems being compromised or taken offline."

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments