Blake Sobczak, E&E News reporter Friday, June 14, 2019
An electrical substation is pictured. DOE/Flickr
Some of the world’s most dangerous hackers have zeroed in on the U.S. power sector in recent months, according to a nonpublic alert issued by the North American Electric Reliability Corp. this spring and new research.
The grid regulator sounded the alarm on March 1 with the industrial cybersecurity firm Dragos Inc. over a notorious hacking group known as “Xenotime” in the report. Xenotime has been spotted hitting U.S. electric utilities with “reconnaissance and potential initial access operations” since late last year, the alert said.
The hacking group, infamous for infecting the safety systems of a Saudi petrochemical plant with highly specialized, life-threatening malware two years ago, isn’t known to have broken through to the sensitive controls of U.S. power plants or substations.
The fact that the attackers behind the “Triton” malware can switch gears from hacking oil companies to electric utilities is significant, experts say, given the group’s sophistication and its suspected ties to Russian intelligence agencies (Energywire, March 7).
“Xenotime remains the most dangerous cyberthreat in the world, with the capability and intent to kill people,” said Sergio Caltagirone, vice president of threat intelligence at Dragos. “We’ve been very proactive at working with hundreds of electric utilities, preparing them with intelligence and defensive recommendations to best defend the U.S. electric grid against an attack from an adversary of this caliber.”
Dragos reported last year that Xenotime had expanded the scope of its malicious operations to include U.S. targets, although the firm did not specify which sectors came into the hackers’ crosshairs.
Today, the company issued a blog post detailing Xenotime’s activity dating back to 2017. After hackers “successfully compromised several oil and gas environments,” Xenotime has demonstrated “consistent, direct interest in electric utility operations” spanning North America to the Asia-Pacific region, Dragos said, citing work with unidentified clients. Dragos added that Xenotime remains interested in oil and gas targets, calling the group’s foray into a new industry “emblematic of an increasingly hostile industrial threat landscape.”
