Security Market Segment LS
Saturday, 15 June 2019 10:58

Sec firm Dragos warns of threat group targeting electricity utilities Featured

Sec firm Dragos warns of threat group targeting electricity utilities Pixabay

Industrial security intelligence provider Dragos has issued a warning about a threat group it has baptised Xenotime, which it says has expanded its field of operations from the oil and gas industry to now also target electricity utilities in the US.

A blog post issued by the company, which is headed by former NSA hacker Robert M. Lee, said it had identified this shift in behaviour in February and that the change of tactics had been in evidence since late 2018.

The Xenotime group was claimed to be behind an attack in August 2017 on an oil facility owned by Saudi Arabia's Aramco; the attack was outlined by another security firm, FireEye, in December that year without naming the company or the country.

The malware used was named Triton by FireEye because it attacks a safety system known as Triconex which is made by Germany's Schneider Electric and used globally. Triton is built to interact with Triconex Safety Instrumented System controllers and prevents emergency shutdown of such systems.

FireEye said in April this year that it had encountered a second instance of Triton being used, but again did not specify where or what the target was. But FireEye, which has a reputation for not backing away from attribution, has claimed in the past that Triton is linked to a Russian Government-owned research institute.

The Dragos blog post was backed up by a report in EENews which said that the North American Electric Reliability Corporation had spoken to the firm in March this year in an alert sent to a select group.

The alert is claimed to have said that Xenotime had been hitting American electricity utilities with "reconnaissance and potential initial access operations" since late 2018. Its source was not provided, but was evident.

Dragos claimed to have identified "a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities" in the course of working with its clients in various regions.

Thus far, there have been only one case globally where a successful attack has been carried on public utilities, this being on the electricity grid in Ukraine which has been claimed to have been carried out by Russian groups.

Numerous other claims of so-called "cyber attacks" on various utilities have been filed by various websites but have been debunked, many of them by the group Cyber Squirrel, which keeps track of such incidents and does not balk from publishing the truth.

While the Dragos post was for the most part sober, the company did not hesitate to use it to try and drum up more business, writing "Dragos Platform customers have detections for XENOTIME, as the product receives these and other threat behaviour detection updates regularly".

It also advised businesses to "consider using an ICS-specific detection capability like the Dragos Platform".

Independent researchers have, in the past, dismissed attempts to dial up the fear index based on such attempts as those detailed by Dragos, with one telling iTWire that such probes were "meant to demonstrate capabilities, while offering no real threat to the distributed US energy grid".

Commenting on the threat, Renaud Deraison, the chief technology officer and co-founder of security firm Tenable, said: "The latest reports that Xenotime is targeting electric utilities in the US and Asia-Pacific region should come as no surprise, but certainly warrants concern.

"The ongoing threats to operational technology and critical infrastructure are no longer theoretical, they have become our new reality. This is, in part, due to the convergence of IT and OT which has connected once-isolated OT systems to the outside world, exposing them to a variety of potential attacks. While reports indicate these latest attacks didn’t result in a successful intrusion, this should be a stark wake up call for organisations everywhere."

Deraison pointed out that an independent study, conducted by the Ponemon Institute on behalf of Tenable, had found that 90% of organisations reliant on OT systems had experienced at least one damaging cyber attack over the past two years and 62% had two or more.

"These attacks resulted in data breaches and/or significant disruption and downtime to business operations, plants and operational equipment," he said.

"The convergence of these two worlds has left OT in the purview and responsibility of CISOs. This means the IT and OT silos must be broken down and replaced with a single pane of glass to identify where organisations are exposed and to what extent. This is an important step in reducing the chances of mission- and safety-critical systems being compromised or taken offline."


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments