XENOTIME Now Targeting Electric Utility Companies


Xenotime, the hacker group that was first observed in 2017 when it sabotaged the safety equipment of an oil refinery in Saudi Arabia. At the time, it was able to access the ICS portion of the network through traditional lateral movement.

It matters as Triton was designed to be not only destructive but to do so in a way that could harm or kill people. One Information Security group indicated that there are only three groups currently known to focus on this outcome, but Critical Path Security staff have observed more.

Though we've worked with Electric Membership Organizations and observed several breaches, we can't definitively tie the incidents to Xenotime.  However, we're confident that their tactics would prove effective.

Dragos has stated that "Trisis has been observed doing some of the slow, deliberate groundwork to launch an attack.".

We believe that Industrial Control Systems are experiencing increased attacks due to the age in which they are expected to last in the field.  Though highly specialized, the protocols are generally well-defined and cyber security controls are light due to the potential disruption they might introduce.

Additionally, many devices aren't capable of being upgraded or using more common day encryption or security controls.

When you add in recent pushes for Smart Grid and introduction of IoT, we begin to see a rapid convergence of Information Technology and Operational Technology. This could prove to be highly dangerous as the current operating procedures applied to energy infrastructure is largely based on default settings and credentials.

All that being said, Critical Path Security recommends the following.

Multi-directional and Multi-contextual Passive Analysis - As most ICS devices can't support an agent or continual scanning, it is incredibly important to perform ongoing passive network analysis with dedicated, knowledgable analysts.  As mainstream ICS devices still utilize unencrypted protocols, observation of behaviors should be relatively straightforward.

Asset Identification and Tracking - It's impossible to protect assets that you aren't aware that you have. We recommend automatic asset tracking and that those assets be observed in an ongoing manner. Actionable alerts should be delivered when anomalies, malicious or not, are observed.

Response - When dealing with ICS-specific intrusions internal teams should leverage all available and applicable resources in a planned response.  This should include the following steps.

  • Maintain a printed incident response contact list and keep it updated.  There's little worse than trying to hunt down a plan that's encrypted with ransomware.
  • Maintain known-good configurations for rapid recovery.
  • Harness tribal knowledge. Quite often, certain team members are aware of workarounds to get systems online quickly.
  • Have someone prepared for making public statements.

As always, should you have questions or concerns, feel free to reach out to a Critical Path Security team member.

Reach out!

Drop a line and we'll get right back to you.