XENOTIME, the APT group behind the TRISIS industrial control system (ICS) event, has expanded its focus beyond the oil and gas industries, according to researchers. The group has recently been seen probing the networks of electric utility organizations in the U.S. and elsewhere – perhaps a precursor to a dangerous attack on critical infrastructure that could cause physical damage or loss of life.
“Offensive government programs worldwide are placing more emphasis and resources into attacking and disrupting industrial processes like oil, power and water,” said Sergio Caltagirone, vice president of threat intelligence at Dragos. He told Threatpost that “This means more attacks are coming. People will die, we just don’t know when.”
Researchers at Dragos first identified the change in targeting by XENOTIME (which FireEye previously attributed to a Russian government-owned technical research institute in Moscow) in late 2018. The attacks have continued into 2019.
“Multiple ICS sectors now face the XENOTIME threat; this means individual verticals – such as oil and gas, manufacturing or electric – cannot ignore threats to other ICS entities because they are not specifically targeted,” according to an analysis Dragos posted on Friday.
Traditionally, offensive ICS operations are so expensive and difficult that groups will focus and specialize on a sector and geography – such as Middle Eastern oil and gas, the firm pointed out. XENOTIME’s investment and interest in attacking ICS across geographic and industry boundaries – Dragos said it’s the first APT to achieve this transition – is a disturbing harbinger of things to come, researchers said.
“Attacking any industrial sector requires significant resources, which increase as capabilities and targeting expand,” according to the firm. “The high resource requirement previously limited such attacks to a few potential adversaries, but as more players see value and interest in targeting critical infrastructure – and those already invested see dividends from their behaviors – the threat landscape grows.”
Further, the expansion is expected to continue, according to Caltagirone.
“XENOTIME, the most dangerous cyberthreat in the world, provides a prime example of threat proliferation in ICS,” he said. “What was once considered an ‘oil and gas threat’ is now an electric threat too. XENOTIME is now targeting dozens of electric power utilities in at least the North American and Asia-Pacific regions, and continues to target oil and gas worldwide. Dragos expects this overlapping targeting will continue across sectors, from power, to water, to manufacturing and more.”
From TRISIS to Crisis?
The 2017 TRISIS (aka TRITON or HatMan) malware attack on a Saudi Arabian petrochemical facility targeted safety systems and was designed to cause loss of life or physical damage. The malware directly interacted with and controlled Triconex safety instrumented system (SIS) controllers, which are sold by Schneider Electric. SISes are the last line of automated safety defense for industrial facilities, designed to prevent equipment failure and catastrophic incidents such as explosions or fire. The malware managed to cause this fail-safe system to shut down (though a final-stage destructive attack never came).
TRISIS lives on in memory because to date, only a handful of malware, such as the infamous Stuxnet and Industroyer/Crash Override strains, has had the ability to impact the physical process of an ICS installation. TRISIS has not appeared elsewhere since 2017, but it’s worth noting that the same malware framework showed up in a second incident recently, according to FireEye researchers.
Following the 2017 attack, XENOTIME expanded its operations to include oil and gas entities outside the Middle East, Dragos noted. Additionally, the group compromised several ICS vendors and manufacturers in 2018, providing potential supply-chain threat opportunities and vendor-enabled access to target ICS networks.
“XENOTIME operations since the TRISIS event in 2017 included significant external scanning, network enumeration and open-source research of potential victims, combined with attempts at external access,” the researchers said. “This activity emphasized North American and European companies.”
Then, it expanded in terms of industrial sector: In February 2019, Dragos identified a persistent pattern of activity attempting to gather information and enumerate network resources associated with U.S. and Asia-Pacific electric utilities.
“This behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future ICS-focused intrusion,” the researchers said. “The activities are consistent with Stage 1 ICS cyber kill chain reconnaissance and initial access operations, including observed incidents of attempted authentication with credentials and possible credential-stuffing, or using stolen usernames and passwords to try and force entry into target accounts.”
None of the electric-utility targeting events has resulted in a known, successful intrusion into victim organizations to date, but Dragos said that the persistent attempts and expansion in scope is cause for definite concern.
“XENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes,” according to the research. “Electric utility environments are significantly different from oil and gas operations in several aspects, but electric operations still have safety and protection equipment that could be targeted with similar tradecraft.”
To prepare for a potential onslaught, ICS operators should be ramping up now, said Caltagirone.
“Industrial control system owners and operators need to establish an authoritative understanding of their environments and begin searching for threat behaviors now, while preparing responses for the inevitable,” he told Threatpost. “Utilities, companies and governments must work cooperatively around the world and across industrial sectors to jointly defend lives and infrastructure from the increasing scope and scale of offensive critical infrastructure cyberattacks.”
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.