Throwback Attack: Xenotime probes the U.S. power grid

Courtesy: CFE Media and Technology

It has been a few years since Xenotime, the notorious Russian hacker group, first gained global attention for their targeted attack on a Saudi Arabian petrochemical plant. Since then, their nefarious activities have continued to evolve, with a recent focus on the U.S. power grid.

In 2019, Xenotime probed the U.S. power grid, presumably to find vulnerabilities and learn about the cyber measures in place to protect it. While nothing came of this probing (as far as we know), it raised concerns about what Xenotime is going to do next. As the cybersecurity world closely monitors this development, it’s essential for us to understand the potential risks and implications that come with this new challenge.

What is Xenotime probing and why?

First, what exactly is Xenotime probing? According to Wired, “Their scanning ranged from searching for remote login portals to scouring networks for vulnerable features.” This type of activity is considered an early phase of reconnaissance, typically carried out to identify potential vulnerabilities and entry points for future cyberattacks. It’s like a burglar casing a neighborhood, noting weak points and security gaps to exploit later.

In 2016, Xenotime used a malware called CRASHOVERRIDE to attack a Ukrainian power grid. The attack left Ukrainian citizens without power before it was restored by the grid operators. This attack was unrelated to the 2015 Ukrainian power grid attack.

Why should we be concerned? As Dragos explains, “Xenotime expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety — and thus integrity — to fulfill its mission.” Xenotime is the group responsible for the Triton malware attack on a Saudi Arabian petrochemical facility in 2017. Triton malware targets Triconex safety instrument system (SIS) controllers to disable those safety systems. The consequences of that attack could have been catastrophic, with Wired stating that, “Triton was designed to disable safety systems, enabling the hackers to cause physical destruction and potentially even loss of life.”

Recently, ICS Pulse conducted an interview with Waterfall Security’s Jesus Molina to talk about the rise of physical consequences from cyberattacks. “You need to make sure that IT (information technology) systems that handle data and systems that handle operations in critical infrastructure are separated,” said Molina. He also suggested consistent reporting on the state of systems and monitoring for changes.

The evolution of Xenotime’s cyber activity

Xenotime’s shift from targeting the oil and gas sector to the electric industry is a significant development, as it indicates a broader focus on critical infrastructure. According to Dragos, “Xenotime is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or destructive purposes.” This means that the hackers are not only looking to disrupt operations but also to cause actual harm to equipment and infrastructure.

The New York Post highlighted that the group’s activities have expanded beyond the Middle East, with Xenotime now targeting, “electric utilities in the U.S. and Asia-Pacific regions.” This global expansion underscores the growing threat posed by this highly capable cyber adversary.

Preventive measures and vigilance

It’s essential not to underestimate the potential damage a successful cyberattack on the U.S. power grid could cause. Wired quotes Sergio Caltagirone, vice president of threat intelligence at Dragos, who warns that, “Even a small disruption to the power grid could have cascading effects that cause outages lasting days, weeks or even months.” This highlights the importance of investing in robust cybersecurity measures to defend against such threats.

Dragos advises that organizations in the energy sector should ensure they have “visibility and monitoring of their industrial control systems (ICS), including network segmentation, and robust incident response and recovery plans.” These proactive steps can help reduce the risk of a successful cyberattack and minimize the potential impact if one were to occur.

As Xenotime’s activities continue to evolve and expand, the need for vigilance and strong cybersecurity measures within the U.S. power grid have become more pressing. According to Wired, “We need to be prepared for this adversary and others like them, because the risk is real and the stakes are high.” All sectors of cybersecurity must collaborate and share information to stay ahead of groups like Xenotime.

Ultimately, while Xenotime’s probing of the U.S. power grid may not have led to any successful attacks yet, the threat it poses is clear. By understanding the risks and potential consequences, the energy sector and the nation as a whole can take the necessary steps to defend against this emerging and evolving cyber menace. Staying ahead of the curve, investing in strong cybersecurity measures and fostering collaboration across sectors will be crucial in ensuring that the U.S. power grid remains safe and secure in the face of growing cyber threats.




Keep your finger on the pulse of top industry news