On the scale of security threats, hackers scanning potential targets for vulnerabilities might seem to rank rather low. But when it x27; s the same hackers who previously executed one of the most reckless cyberattacks in history–one that could have easily turned destructive or even lethal–that reconnaissance has a more foreboding edge. Especially when the target of their scan is the US power grid.
Over the past several months, security analysts at the Electric Information Sharing and Analysis Center( E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these hackers, known as Xenotime–or sometimes as the Triton actor, after their signature malware–have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime “easily the most dangerous threat activity publicly known.”
There x27; s no sign that the hackers are anywhere near triggering a power outage–not to mention a dangerous physical accident–in the US. But the mere fact that such a notoriously aggressive group has turned its sights on the US grid merits attention, says Joe Slowik, a security researcher at Dragos who focuses on industrial control systems and who has tracked Xenotime.
“Xenotime has already proven itself willing not only to act within an industrial surrounding, but to do so in a quite concerning way, targeting security systems for potential plant interruption and at minimum accepting the risk that interruption could result in physical damage and even is detrimental to someones, ” Slowik told WIRED. Xenotime x27; s scans of the US grid, he adds, represent initial baby steps toward bringing that same kind of destructive sabotage to American clay. “What concerns me is that the actions observed to date are indicative of the preliminary actions required to set up for a future intrusion and potentially a future attack.”
According to Dragos, Xenotime has probed the networks of at least 20 different US electric system targets, including every part of the grid from power generation plants to transmitting stations to distribution stations. Their scanning ranged from searching for remote login portals to scouring networks for vulnerable features, such as the buggy version of Server Message Block exploited in the Eternal Blue hacking tool leaked from the NSA in 2017. “It x27; s a combination of knocking on the door and trying a couple of doorknobs every once in a while, ” says Slowik.
While Dragos only became aware of the new targeting in early 2019, it traced the activity back to mid-2 018, largely by looking at the targets x27; network logs. Dragos also saw the hackers similarly scan the networks of a “handful” of electricity grid operators in the Asia-Pacific region. Earlier in 2018, Dragos had reported that it considered Xenotime targeting about half a dozen North American oil and gas targets. That activity consisted largely of the same sort of probes insured more recently, but in some cases it also included attempts to crack the authentication of those networks.
While those cases cumulatively represent an unnerving diversification of Xenotime x27; s interests, Dragos says that only in a small number of incidents did the hackers actually compromise the target network, and those cases occurred in Xenotime x27; s oil and gas targeting rather than its more recent grid probes. Even then, according to Dragos x27; analysis, they never managed to expand their control from the IT network to the far more sensitive industrial control systems, a prerequisite to directly causing physical mayhem like a blackout or planting Triton-style malware.
By contrast, in its 2017 attack on Saudi Arabia x27; s Petro Rabigh refinery, Xenotime not only gained access to the company x27; s industrial control system network but took advantage of a vulnerability in the Schneider Electric-made Triconex safety-instrumented systems it utilized, basically knocking out that safety equipment. The sabotage could have been the precursor to causing a serious physical collision. Fortunately, the hackers instead triggered an emergency shutdown of the plant–apparently by accident–without any more severe physical consequences.
Whether Xenotime would attempt that sort of Triton-style sabotage against the US grid is far from clear. Many of the victims it has recently targeted don x27; t employ safety-instrumented systems, though some do utilize those physical safety systems to protect gear like generation turbines, according to Dragos x27; Slowik. And grid operators commonly use other digital security equipment like protective relays, which monitor for overloaded or out-of-sync grid equipment, to prevent accidents.
Dragos says it learned of Xenotime x27; s recent targeting activity largely from its customers and other industry members sharing information with the company. But the new findings came into the public light in part due to an apparently accidental leak: E-ISAC, a part of the North American Electric Reliability Corporation, published a presentation from March on its website that included a slide indicating a screenshot of a Dragos and E-ISAC report on Xenotime x27; s activity. The report notes that Dragos detected Xenotime “performing reconnaissance and potential initial access operations” against North American grid targets, and it notes that the E-ISAC “tracked similar activity information from energy industry members and government partners.” E-ISAC didn x27; t respond to WIRED x27; s request for further comment.
Dragos has shied away from naming each of the countries that might be behind Xenotime x27; s assaults. Despite initial speculation that Iran was responsible for the Triton attack on Saudi Arabia, security firm FireEye in 2018 pointed to forensic links between the Petro Rabigh attack and a Moscow research institute, the Central Scientific Research Institute of Chemistry and Mechanics. If Xenotime is in fact a Russian or Russia-sponsored group, they would be far from the only Russian hackers to target the grid. The Russian hacker group known as Sandworm is believed to be responsible for attacks on Ukrainian electric utilities in 2015 and 2016 that cut power to hundreds of thousands of people, the only blackouts confirmed to have been triggered by hackers. And last year the Department of Homeland Security warned that a Russian group known as Palmetto Fusion or Dragonfly 2.0 had gained access to the actual control systems of American power utilities, bringing them much closer to causing a blackout than Xenotime has get thus far.
Nonetheless FireEye, which performed incident response for the 2017 Petro Rabigh attack and another violate by the same hackers, backs Dragos x27; appraisal that Xenotime x27; s new targeting of the US grid is a troubling development. “Scanning is flustering, ” says John Hultquist, FireEye x27; s director of threat intelligence. “Scanning is the first step in a long series. But it indicates interest in that space. It x27; s not as worrisome as actually dropping their Triton implant on US critical infrastructure. But it’s something we definitely want to keep an eye on and track.”
Beyond only the threat to the US grid, Dragos vice president of threat intelligence Sergio Caltagirone argues that Xenotime x27; s expanded targeting shows how state-sponsored hacker groups are becoming more ambitious in their attacks. Such groups have grown not only in number but also in the scope of their activities, he says. “Xenotime has jumped from oil and gas, from purely operating in the Middle East, to North America in early 2018, to the electric grid in North America in mid-2 018. We’re seeing proliferation across sectors and geographies. And that menace proliferation is the most dangerous thing in cyberspace.”