In recent months, security analysts at the Center for Analysis and Exchange of Electrical Information (E-ISAC) and security firm Critical Infrastructure Dragos have been monitoring a group of sophisticated hackers performing extensive security scans. targets of the US power grid, apparently. looking for entry points into their networks. Digitization alone hardly represents a serious threat But these hackers, known as Xenotime, or sometimes actor Triton, according to their known malicious program, have a particularly dark history. The malicious Triton program was designed to disable the so-called security instrument systems of Saudi Arabia's Petro Rabigh oil refinery. in a cyberattack of 2017, for the apparent purpose of paralyzing equipment that monitors leaks, explosions or other catastrophic physical events. Dragos has called Xenotime "easily the most dangerous threat activity publicly known."
Nothing indicates that hackers are about to trigger a power outage – not to mention a dangerous physical accident – in the United States. Joe Slowik, a safety researcher at Dragos who focuses on industrial control systems and has overseen Xenotime, deserves the attention of everyone. Such a notoriously aggressive group turned to the American network.
Xenotime probed the networks of at least 20 different targets in the US electrical system.
"Xenotime has already proven its willingness, not only to act in an industrial environment, but also in a certain way, targeting security systems for possible disruption of the system. installing and accepting at a minimum the risk that an interruption could result in physical harm or even individuals, "Slowik told WIRED. Xenotime's analyzes of the American network, he adds, represent a first step in the realization of the same type of destructive sabotage on American soil. "What worries me is that the actions observed so far are indicative of the preliminary actions needed to prepare for a future intrusion and potentially a future attack."
According to Dragos, Xenotime surveyed the networks of at least 20 different targets in the US electrical system, including all elements of the grid, from power plants to transmission stations to distribution stations. Their analyzes ranged from finding remote connection portals to finding vulnerable features on networks, such as the buggy version of Server Message Block running in Internet Explorer. An eternal blue hacking tool has fled from the NSA in 2017. "It's a combination of knocking on the door and trying a few door knobs from time to time," Slowik says.
While Dragos only became aware of the new targeting in early 2019, he traced the activity until the middle of 2018, mainly by consulting the target network logs. Mr. Dragos also saw hackers similarly analyzing the networks of a "handful" of power grid operators in the Asia-Pacific region. Earlier in 2018, Dragos announced that Xenotime was targeting about half a dozen North American oil and gas targets. This activity consisted largely of the same type of probes as those observed more recently, but in some cases it also included attempts to prevent the authentication of these networks.
While these cases cumulatively represented a disconcerting diversification of Xenotime's interests, Dragos said that hackers had compromised the target network only in a small number of incidents. Even in this case, according to Dragos' analysis, they have never managed to extend their control of the computer network to much more sensitive industrial control systems, on the precondition of directly causing a physical breakdown or failure. installation of malicious programs like Triton.
In contrast, in its 2017 attack on the Petro Rabigh refinery in Saudi Arabia, Xenotime not only had access to the network of its industrial control system, but took advantage of a vulnerability of Triconex safety instrumented systems manufactured by Schneider Electric he used essentially, knocking out this safety equipment. The sabotage could have been the precursor of a serious physical accident. Fortunately, the pirates instead triggered an emergency shutdown of the factory, apparently by accident, without more serious physical consequences.
The question of whether Xenotime would attempt this kind of sabotage to the Triton against the American network is far from clear. According to Slowik of Dragos, many victims have not targeted instrumented security systems, although some use these physical security systems to protect equipment such as production turbines. And network operators commonly use other digital security equipment, such as protection relays, that monitor overloaded or improperly synchronized network equipment, to prevent accidents.
Dragos stated that it was aware of Xenotime's recent targeting activity with its customers and other industry members sharing information with the company. But the new discoveries were made public partly because of an accidental leak: E-ISAC, part of the North American Electric Reliability Corporation, published a March presentation on his website, a slide showing a screenshot of a report Dragos and E-ISAC on the activity of Xenotime. The report notes that Dragos detected Xenotime "performing reconnaissance operations and potential initial access operations" against North American network targets, and that the E-ISAC "tracked information on similar activities provided by members of the electricity sector and government partners ". E-ISAC has not responded to WIRED's request for further comments.
Dragos is far from any country likely to be at the origin of Xenotime attacks. Despite initial speculation that Iran was responsible for the Triton attack on Saudi Arabia, the FireEye security company in 2018 pointed to the forensic links between the attack on Petro Rabigh and a research institute in Moscow, the Central Institute for Scientific Research of Chemistry and Mechanics. If Xenotime is actually intended for a Russian group or a group sponsored by Russia, it is the Russian hackers who will target the grid. The Russian group of hackers known as Sandworm would be responsible for attacks against Ukrainian electricity services in 2015 and 2016 This cut off the power to hundreds of people, the only confirmed power outages having been triggered by hackers. And last year, the US Department of Homeland Security warned a Russian group known as Palmetto Fusion or Dragonfly 2.0. obtained access to current US utility control systemswhich brings them much closer to the failure that Xenotime has had so far.
Nevertheless, FireEye, who reacted to the incident during the Petro Rabigh attack in 2017 and another violation by the same hackers, confirms Dragos' assessment that the new targeting of American network by Xenotime is worrying. "Scanning is baffling," says John Hultquist, FireEye's Threat Information Manager. "Digitization is the first step of a long series, but it suggests this interest in this space." "It's not as worrying as letting their Triton implant file on critical US infrastructure, but it's something we want to monitor and monitor."
Beyond the threat to the US network, Dragos' vice-president of threat intelligence, Sergio Caltagirone, says Xenotime's widespread targeting shows how much state-sponsored hacker attacks become more ambitious. Such groups have only grown as part of their activities, he says. "Xenotime went from oil and gas, which operated only from the Middle East to North America in early 2018, and then to the North American power grid in mid-2018, and this proliferation threat is the most important thing. more dangerous in cyberspace ".
More great cable stories
. (tagsToTranslate) critical infrastructure (t) hacking the power grid (t)</pre></pre>