Posted on June 15, 2019 at 2:28 PM
Hackers and hacking attacks have grown to become much too common these days, and even the larger of the recent hacks did not surprise people nearly as much as they used to some years back. However, when a major, well-known hacking group makes a move, security experts tend to pay attention. And, when the group in question is the one responsible for what is likely one of the most dangerous cyberattacks ever — everyone is on high alert.
This is exactly the situation right now, as the hackers responsible for Triton malware appear to be scanning the US power grid, attempting to find vulnerabilities. Hackers, known as Xenotime, spent several months scanning for the US power grid in attempts to uncover their way in, according to the US E-ISAC (Electric Information Sharing and Analysis Center).
E-ISAC took the threat seriously, and they started collaborating with a security company known as Dragos. The two joined forces to try to track and repel hacking attacks, should they come. For now, many would agree that simple scans for vulnerabilities that hackers have been performing are not too big of an issue. However, if their scans end up identifying a vulnerability, there may be some serious consequences.
Why is Xenotime such a big threat?
Xenotime hackers used to be just like any other hacking group, with not a lot of people paying too much attention to them. Researchers used to track them and their activities, but the group was not seen as anything special. Then, they came up with their Triton malware, which was created to disable safety systems for the Saudi Arabian oil refinery.
The attack on Petro Rabigh came in 2017, and it attempted to cripple the equipment and systems that are used for preventing malfunctions, explosions, and alike. The incident put Xenotime on the map as the most dangerous online threat in history. With that in mind, it is easy to understand why everyone is keeping a close eye on the hackers’ activities. So far, there is nothing that would indicate that they are about to trigger a major power outage. Experts also don’t believe that a large physical accident is about to happen.
However, the group’s reptation does not allow experts to threat their activities lightly. Dragos’ security researcher, Joe Slowik, said so himself, pointing out that the group has proven itself both willing, and capable of causing major harm, and potentially loss of life. He believes that Xenotime’s move towards scanning the US grid should be taken as a warning of a much greater incidents that might follow.
It is unclear whether or not hackers are seeking out something particular, or any sort of vulnerability. So far, they have scanned around 20 US electric systems, which includes elements of the grid from power generation plants. Their scans were very thorough, and they were searching from anything, from remote login portals to vulnerable features, like bugs, backdoors, and alike.
Researchers keeping an eye on Xenotime
Drogos became aware of Xenotime’s activities earlier this year, although they attempted to trace the group since mid-2018. Most of the time, they looked at the logs of targeted networks. They noticed that hackers were performing similar scanning operations in Asia and the Pacific region. However, in 2018, the company also noticed that hackers were looking into North American gas and oil targets. Xenotime actually managed to find a way in some of these networks, although they never managed to gain full control. So far, their US grid probing ended up being less successful than oil and gas scans, and hackers apparently still haven’t found their entry point.
The main concern now is whether the group would try the same type of sabotage against the US grid, as they did in Saudi Arabia. A lot of their victims do not use safety-instrumented systems, but some of them do use physical safety systems.
So far, it is not known which country — if any — might be supporting the hackers’ activities. There were many speculations that Iran might have been behind the attack on Saudi Arabia, but others pointed out that there were forensic links that tied the attack to a Moscow research institute. If Xenotime is indeed operating from Russia, they would not be the first such group to try to hit the US power grid. A group is known as Sandworm already made power grid attacks in Ukraine back in 2015 and 2016, which left hundreds of thousands of people with no power.
Not to mention that just last year, Dragonfly 2.0, also known as Palmetto Fusion, accessed control systems of American power utilities. All of these groups made it much further towards actually causing disruptions that Xenotime did so far. Even so, researchers believe that the group is extremely dangerous, and as such, its activities must be closely monitored at all times.