Security Market Segment LS
Saturday, 15 June 2019 10:58

Sec firm Dragos warns of threat group targeting electricity utilities Featured

Sec firm Dragos warns of threat group targeting electricity utilities Pixabay

Industrial security intelligence provider Dragos has issued a warning about a threat group it has baptised Xenotime, which it says has expanded its field of operations from the oil and gas industry to now also target electricity utilities in the US.

A blog post issued by the company, which is headed by former NSA hacker Robert M. Lee, said it had identified this shift in behaviour in February and that the change of tactics had been in evidence since late 2018.

The Xenotime group was claimed to be behind an attack in August 2017 on an oil facility owned by Saudi Arabia's Aramco; the attack was outlined by another security firm, FireEye, in December that year without naming the company or the country.

The malware used was named Triton by FireEye because it attacks a safety system known as Triconex which is made by Germany's Schneider Electric and used globally. Triton is built to interact with Triconex Safety Instrumented System controllers and prevents emergency shutdown of such systems.

FireEye said in April this year that it had encountered a second instance of Triton being used, but again did not specify where or what the target was. But FireEye, which has a reputation for not backing away from attribution, has claimed in the past that Triton is linked to a Russian Government-owned research institute.

The Dragos blog post was backed up by a report in EENews which said that the North American Electric Reliability Corporation had spoken to the firm in March this year in an alert sent to a select group.

The alert is claimed to have said that Xenotime had been hitting American electricity utilities with "reconnaissance and potential initial access operations" since late 2018. Its source was not provided, but was evident.

Dragos claimed to have identified "a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities" in the course of working with its clients in various regions.

Thus far, there have been only one case globally where a successful attack has been carried on public utilities, this being on the electricity grid in Ukraine which has been claimed to have been carried out by Russian groups.

Numerous other claims of so-called "cyber attacks" on various utilities have been filed by various websites but have been debunked, many of them by the group Cyber Squirrel, which keeps track of such incidents and does not balk from publishing the truth.

While the Dragos post was for the most part sober, the company did not hesitate to use it to try and drum up more business, writing "Dragos Platform customers have detections for XENOTIME, as the product receives these and other threat behaviour detection updates regularly".

It also advised businesses to "consider using an ICS-specific detection capability like the Dragos Platform".

Independent researchers have, in the past, dismissed attempts to dial up the fear index based on such attempts as those detailed by Dragos, with one telling iTWire that such probes were "meant to demonstrate capabilities, while offering no real threat to the distributed US energy grid".

Commenting on the threat, Renaud Deraison, the chief technology officer and co-founder of security firm Tenable, said: "The latest reports that Xenotime is targeting electric utilities in the US and Asia-Pacific region should come as no surprise, but certainly warrants concern.

"The ongoing threats to operational technology and critical infrastructure are no longer theoretical, they have become our new reality. This is, in part, due to the convergence of IT and OT which has connected once-isolated OT systems to the outside world, exposing them to a variety of potential attacks. While reports indicate these latest attacks didn’t result in a successful intrusion, this should be a stark wake up call for organisations everywhere."

Deraison pointed out that an independent study, conducted by the Ponemon Institute on behalf of Tenable, had found that 90% of organisations reliant on OT systems had experienced at least one damaging cyber attack over the past two years and 62% had two or more.

"These attacks resulted in data breaches and/or significant disruption and downtime to business operations, plants and operational equipment," he said.

"The convergence of these two worlds has left OT in the purview and responsibility of CISOs. This means the IT and OT silos must be broken down and replaced with a single pane of glass to identify where organisations are exposed and to what extent. This is an important step in reducing the chances of mission- and safety-critical systems being compromised or taken offline."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments