According to a blog post from security researchers Dragos, the highly destructive Xenotime group is expanding its focus to more global targets. First discovered in December 2017, Xenotime’s handiwork was behind the infamous Trisis malware. Trisis was able to fully shut down industrial facilities in the Middle East because of how it targeted Schneider Electric’s Triconex safety instrumented system.
In Dragos’ post on Xenotime, the company indicates how the threat actors are now targeting not just nations in the Middle East but western nations like the United States. No specific targets were mentioned for security purposes, but Dragos stated with confidence that the significance of this is that experts in the security of industrial systems consider the group to be “easily the most dangerous threat activity publicly known.” Trisis was considered to be a major upgrade in how many ICS attacks function, and with this attack method expanding, it undoubtedly spells trouble for the industrial sector.
Dragos also noted how Trisis can be easily turned into other strains of malware that can assist in attacks on facility safety systems:
Because the Trisis malware framework was highly tailored, it would have required specific knowledge of the Triconex’s infrastructure and processes within a specific plant. This means it’s not easy to scale — however, the malware provides a blueprint of how to target safety instrumented systems. This tradecraft is thus scalable and available to others even if the malware itself changes.
This is important to note as the expansion of Xenotime’s focus indicates a likely incoming barrage of attacks on safety instrumented systems. Even if the system isn’t Triconex, the hackers can manipulate the code in Trisis to adapt to whatever safety system is in place. This is a scenario that security professionals in the industrial sector should take note of and prepare for.
Xenotime set themselves apart by the aggressive nature of their attacks on industrial facilities. The specific attack on safety systems shows, as Dragos put it, “loss of human life were either intentional or acceptable goals of the attack, a consequence not seen in previous disruptive attacks.” With the reach of Xenotime expanding it is clear that, unless they are stopped, countless lives are at risk. It is not known what the goals of these attackers are, but Dragos researchers believe it is to gain the “capability to cause a potential, future disruptive — or even destructive — event.”
This cannot be allowed to happen.
Featured image: Pexels