The same group behind the Triton malware attack that targeted critical industrial infrastructure in the Middle East last year is believed to be behind a new campaign targeting industrial control systems in the U.S.

Dubbed “Xenotime” by security researchers at Dragos Inc., the group is described as the “most dangerous threat activity [group] publicly known.” It’s said to be using a variant of Triton, also known as Trisis, to target a variety of safety instrumented systems, not just those designed by Schneider Electric SE used in oil and gas facilities that were attacked last year.

The new attacks appear to be highly targeted, the goal to cause physical damage, not just system disruption. “Targeting a safety system indicates [the intent of] significant damage and loss of human life were either intentional or acceptable goals of the attack, a consequence not seen in previous disruptive attacks,” the researchers explained.

ICS systems are designed to provide assistance when problems emerge in industrial processes, enabling engineers to control and possibly shut down processes in the event of an incident. “Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential, future disruptive — or even [a] destructive — event,” researchers said.

Oren Aspir, chief technology officer at Cyberbit Ltd., told SiliconANGLE that the attack bears a “striking resemblance” to the Russian attack on U.S. critical infrastructure reported by the US-CERT earlier this year.

“Both attacks started with social engineering to persuade employees to open phishing emails or visit watering hole websites,” Aspir explained. “Attackers then gained administrative access to IT networks, from which they’ve identified information technology/operational technology touch points to make their way into industrial control systems.”

Most ICS attacks Cyberbit sees, he added, take advantage of the convergence of information technology and operational technology operations. “Companies managing industrial control networks should abandon the assumption that IT and OT can be fully segregated and start treating OT security at the same level of seriousness as they approach IT security,” Aspir recommended. “It starts with obtaining visibility in your OT network. Today organizations can deploy, within days, solutions for OT visibility and detect anomalies. These could have easily detected this attack.”

Photo: Tennessee Valley Authority/Wikimedia Commons