UPDATED 23:53 EDT / MAY 24 2018

INFRA

Xenotime hacking group targeting industrial safety systems in the US

The same group behind the Triton malware attack that targeted critical industrial infrastructure in the Middle East last year is believed to be behind a new campaign targeting industrial control systems in the U.S.

Dubbed “Xenotime” by security researchers at Dragos Inc., the group is described as the “most dangerous threat activity [group] publicly known.” It’s said to be using a variant of Triton, also known as Trisis, to target a variety of safety instrumented systems, not just those designed by Schneider Electric SE used in oil and gas facilities that were attacked last year.

The new attacks appear to be highly targeted, the goal to cause physical damage, not just system disruption. “Targeting a safety system indicates [the intent of] significant damage and loss of human life were either intentional or acceptable goals of the attack, a consequence not seen in previous disruptive attacks,” the researchers explained.

ICS systems are designed to provide assistance when problems emerge in industrial processes, enabling engineers to control and possibly shut down processes in the event of an incident. “Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential, future disruptive — or even [a] destructive — event,” researchers said.

Oren Aspir, chief technology officer at Cyberbit Ltd., told SiliconANGLE that the attack bears a “striking resemblance” to the Russian attack on U.S. critical infrastructure reported by the US-CERT earlier this year.

“Both attacks started with social engineering to persuade employees to open phishing emails or visit watering hole websites,” Aspir explained. “Attackers then gained administrative access to IT networks, from which they’ve identified information technology/operational technology touch points to make their way into industrial control systems.”

Most ICS attacks Cyberbit sees, he added, take advantage of the convergence of information technology and operational technology operations. “Companies managing industrial control networks should abandon the assumption that IT and OT can be fully segregated and start treating OT security at the same level of seriousness as they approach IT security,” Aspir recommended. “It starts with obtaining visibility in your OT network. Today organizations can deploy, within days, solutions for OT visibility and detect anomalies. These could have easily detected this attack.”

Photo: Tennessee Valley Authority/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Support our open free content by sharing and engaging with our content and community.

Join theCUBE Alumni Trust Network

Where Technology Leaders Connect, Share Intelligence & Create Opportunities

11.4k+  
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+ 
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.

SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .

Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.