Electric lines in Page, Arizona “/>
Electric lines in Page, Arizona
In a new alarming escalation, hackers behind at least two potentially fatal infiltrations in industrial facilities expanded their research into dozens electrical networks in the US and elsewhere, researchers from the security company Dragos announced on Friday.
The group, now called Dragon's Xenotime, quickly attracted international attention in 201
7 when Dragos researchers and the Mandiant FireEye security division reported that Xenotime recently caused a dangerous break in a critical infrastructure facility in the Middle East. Researchers from Dragos have declared the group the most dangerous cyber threat in the world.
The most worrying of this attack was the use of never before seen malware directed to the facility's safety processes. Such safety systems are a combination of hardware and software that many critical infrastructure objects use to prevent the emergence of dangerous conditions. When gas pressure or reactor temperatures rise to potentially dangerous thresholds, for example, the SIS will automatically close the valves or initiate cooling processes to prevent health or life-threatening accidents.
In April, FireEye reported that the malicious software that is changing in the SIS, known as Triton and Trisis, was used to attack another industrial facility.
Distribution across the different sectors
Now Dragos reports that Xenotym performs network scans and intelligence on multiple components in power grids in the United States and other regions. Sergio Caltagirone, senior vice president of the Dragos Intelligence Agency, told Ars that his company has found dozens of utilities – about 20 of them located in the US – that have been subjected to xeno-probes since the end of 2018. there is no evidence that utilities have been compromised, he said enlargement is still connected.
"The threat is spreading and is now targeting the US and Asian electricity companies, which means we are no longer sure that the threat to our power utilities is understood or stable," he said in an interview. the first signal that threats are spreading across sectors, which means we can not be sure that the threat to a sector will remain in this sector and it will not pass. "
One of the attacks with powers that use passwords stolen in earlier, sometimes unrelated pomegranates in the hope that they will work against new targets, another is the network scanning that compares and catalogs the various computers, routers and other related devices, and lists the network ports to which they connect
"The scale of the operation, target number and targeted regions, Caltagirone says he "shows more than a lack of interest in the sector."
The first attack that E & E News reported in March is aimed at Petro Rabigh Petroleum Refinery in Saudi Arabia and the SIS product line, such as Triconex. Schneider Electric. Triton's malicious software analysis has shown that its developers have carried out extensive back-up engineering. SIS targeting the attack shut down operations when an error occurred when hackers carried out intelligence on the facility. Although hackers may be looking for the ability to cause physical damage to the facility, stopping in November may have been an accident.
Less is known about the penetration of xenothy into the second critical facility. It is still unclear, for example, whether it is targeting Triconex SIS or has led to interruptions or dangers.
Until now no one knows for sure who Xenotim is. Initial suspicions highlighted hackers working on behalf of Iran. Last October, FireEye appreciates with confidence that Triton was developed with the help of the Central Research Institute of Chemistry and Mechanics in Moscow. Russia was tied to other critical infrastructure attacks, including in December 2015 the regional authorities in Ukraine, who left hundreds of thousands of people in the Ivano-Frankivsk region without Ukraine. This attack is the first known interruption of power caused by a hacker. And almost a year later, the second hack, linked to Russia, again brought power to Ukraine.
Select a group
Who is behind Xenotime, the group's demonstrated ability to cause physical destruction puts him in a group of participants in the threat that so far are known to include only four others. In a publication published Friday, Dragos researchers write:
Although none of these events has led to some successful penetrations of victim organizations so far, stubborn attempts and widening scope are a cause for some concern. XENOTIME has successfully compromised several oil and gas environments, demonstrating its ability to do so in other verticals. In particular, XENOTIME remains one of four threats (along with ELECTRUM, Sandworm, and Stuxnet) to commit an intentional destructive or destructive attack.
XENOTIME is the only known unit that specifically targets SIS for destructive or destructive purposes. Electric utilities differ greatly from oil and gas operations in several respects, but electrical operations still have safety and protection equipment that can be targeted with a similar commercial product. XENOTIME expresses consistent, direct interest in electrical utilities is a cause for deep concern, given the willingness of this adversary to compromise the process's safety – and thus – the integrity – to fulfill its mission. threat. Most of the observed XENOTIME activities are focused on the initial collection of information and access operations required for subsequent ICS penetration operations. As can be seen from years-sponsored state penetration in the United States, Britain and other electrical infrastructure, organizations are increasingly interested in the basics of ICS operations and show all the distinctive features of information and access necessary for future attacks. While Dragonos sees no evidence at the moment showing that XENOTIME (or any other group of activities such as ELECTROMOR or ALANIT) is capable of sustaining a destructive or destructive event in electrical operations, the observed activity strongly signals the opposing interest in meeting the preconditions for
The Xenotime expansion in power companies was first reported by E & E News and Wired, quoting a slide published by E-ISAC, part of the North American Electricity Corporation. The slides indicate that Dragonos has discovered Xenotime "doing intelligence and potential initial access operations" against North American network targets, and notes that E-ISAC "tracks similar information on the activities of members of the power industry and government partners". Dragosh became public with his findings after receiving queries about the slide.