June 15, 2019 at
Hackers and hacking attacks have grown to
become much too common these days, and even the larger of the recent hacks did
not surprise people nearly as much as they used to some years back. However,
when a major, well-known hacking group makes a move, security experts tend to
pay attention. And, when the group in question is the one responsible for what
is likely one of the most dangerous cyberattacks ever — everyone is on high
This is exactly the situation right now, as the hackers responsible for Triton malware appear to be scanning the US power grid, attempting to find vulnerabilities. Hackers, known as Xenotime, spent several months scanning for the US power grid in attempts to uncover their way in, according to the US E-ISAC (Electric Information Sharing and Analysis Center).
E-ISAC took the threat seriously, and they started collaborating with a security company known as Dragos. The two joined forces to try to track and repel hacking attacks, should they come. For now, many would agree that simple scans for vulnerabilities that hackers have been performing are not too big of an issue. However, if their scans end up identifying a vulnerability, there may be some serious consequences.
Why is Xenotime such a big
Xenotime hackers used to be just like any
other hacking group, with not a lot of people paying too much attention to
them. Researchers used to track them and their activities, but the group was
not seen as anything special. Then, they came up with their Triton malware,
which was created to disable safety systems for the Saudi Arabian oil refinery.
The attack on Petro Rabigh came in 2017, and
it attempted to cripple the equipment and systems that are used for preventing
malfunctions, explosions, and alike. The incident put Xenotime on the map as
the most dangerous online threat in history. With that in mind, it is easy to
understand why everyone is keeping a close eye on the hackers’ activities. So
far, there is nothing that would indicate that they are about to trigger a
major power outage. Experts also don’t believe that a large physical accident
is about to happen.
However, the group’s reptation does not allow
experts to threat their activities lightly. Dragos’ security researcher, Joe
Slowik, said so himself, pointing out that the group has proven itself both
willing, and capable of causing major harm, and potentially loss of life. He
believes that Xenotime’s move towards scanning the US grid should be taken as a
warning of a much greater incidents that might follow.
It is unclear whether or not hackers are seeking out something particular, or any sort of vulnerability. So far, they have scanned around 20 US electric systems, which includes elements of the grid from power generation plants. Their scans were very thorough, and they were searching from anything, from remote login portals to vulnerable features, like bugs, backdoors, and alike.
Researchers keeping an eye on
Drogos became aware of Xenotime’s activities
earlier this year, although they attempted to trace the group since mid-2018.
Most of the time, they looked at the logs of targeted networks. They noticed
that hackers were performing similar scanning operations in Asia and the
Pacific region. However, in 2018, the company also noticed that hackers were
looking into North American gas and oil targets. Xenotime actually managed to
find a way in some of these networks, although they never managed to gain full
control. So far, their US grid probing ended up being less successful than oil
and gas scans, and hackers apparently still haven’t found their entry point.
The main concern now is whether the group
would try the same type of sabotage against the US grid, as they did in Saudi
Arabia. A lot of their victims do not use safety-instrumented systems, but some
of them do use physical safety systems.
So far, it is not known which country — if any — might be supporting the hackers’ activities. There were many speculations that Iran might have been behind the attack on Saudi Arabia, but others pointed out that there were forensic links that tied the attack to a Moscow research institute. If Xenotime is indeed operating from Russia, they would not be the first such group to try to hit the US power grid. A group is known as Sandworm already made power grid attacks in Ukraine back in 2015 and 2016, which left hundreds of thousands of people with no power.
Not to mention that just last year, Dragonfly
2.0, also known as Palmetto Fusion, accessed control systems of American power
utilities. All of these groups made it much further towards actually causing
disruptions that Xenotime did so far. Even so, researchers believe that the
group is extremely dangerous, and as such, its activities must be closely
monitored at all times.