A blog post issued by the company, which is headed by former NSA hacker Robert M. Lee, said it had identified this shift in behaviour in February and that the change of tactics had been in evidence since late 2018.
The Xenotime group was claimed to be behind an attack in August 2017 on an oil facility owned by Saudi Arabia's Aramco; the attack was outlined by another security firm, FireEye, in December that year without naming the company or the country.
The malware used was named Triton by FireEye because it attacks a safety system known as Triconex which is made by Germany's Schneider Electric and used globally. Triton is built to interact with Triconex Safety Instrumented System controllers and prevents emergency shutdown of such systems.
The Dragos blog post was backed up by a report in EENews which said that the North American Electric Reliability Corporation had spoken to the firm in March this year in an alert sent to a select group.
The alert is claimed to have said that Xenotime had been hitting American electricity utilities with "reconnaissance and potential initial access operations" since late 2018. Its source was not provided, but was evident.
Dragos claimed to have identified "a persistent pattern of activity attempting to gather information and enumerate network resources associated with US and Asia-Pacific electric utilities" in the course of working with its clients in various regions.
Thus far, there have been only one case globally where a successful attack has been carried on public utilities, this being on the electricity grid in Ukraine which has been claimed to have been carried out by Russian groups.
Numerous other claims of so-called "cyber attacks" on various utilities have been filed by various websites but have been debunked, many of them by the group Cyber Squirrel, which keeps track of such incidents and does not balk from publishing the truth.
While the Dragos post was for the most part sober, the company did not hesitate to use it to try and drum up more business, writing "Dragos Platform customers have detections for XENOTIME, as the product receives these and other threat behaviour detection updates regularly".
It also advised businesses to "consider using an ICS-specific detection capability like the Dragos Platform".
Independent researchers have, in the past, dismissed attempts to dial up the fear index based on such attempts as those detailed by Dragos, with one telling iTWire that such probes were "meant to demonstrate capabilities, while offering no real threat to the distributed US energy grid".
Commenting on the threat, Renaud Deraison, the chief technology officer and co-founder of security firm Tenable, said: "The latest reports that Xenotime is targeting electric utilities in the US and Asia-Pacific region should come as no surprise, but certainly warrants concern.
"The ongoing threats to operational technology and critical infrastructure are no longer theoretical, they have become our new reality. This is, in part, due to the convergence of IT and OT which has connected once-isolated OT systems to the outside world, exposing them to a variety of potential attacks. While reports indicate these latest attacks didn’t result in a successful intrusion, this should be a stark wake up call for organisations everywhere."
Deraison pointed out that an independent study, conducted by the Ponemon Institute on behalf of Tenable, had found that 90% of organisations reliant on OT systems had experienced at least one damaging cyber attack over the past two years and 62% had two or more.
"These attacks resulted in data breaches and/or significant disruption and downtime to business operations, plants and operational equipment," he said.
"The convergence of these two worlds has left OT in the purview and responsibility of CISOs. This means the IT and OT silos must be broken down and replaced with a single pane of glass to identify where organisations are exposed and to what extent. This is an important step in reducing the chances of mission- and safety-critical systems being compromised or taken offline."