The Xenotime hackers, known for attempting to cause an explosion at a Saudi oil plant, have a new target in their sights
A cyber threat group known for targeting oil and gas facilities has now expanded its attention to electric utilities in the US and Asia-Pacific, researchers say.
The Xenotime group, which researchers say was behind an attempt to cause an exposion at a Saudi Arabian oil and gas installation in 2017, began probing electric utilities in late 2018, said US-based security firm Dragos.
“This behaviour could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying the prerequisites for a future industrial control system (ICS)-focused intrusion,” Dragos said in an advisory.
It added that other groups targeting industrial systems are likely to follow suit and expand across multiple vertical sectors.
Dragos, which specialises in ICS security, called Xenotime the “most dangerous threat” to industrial systems due to its willingness to “undermine fundamental process safety”, placing “lives and environments at great risk”.
In late 2017 researchers said the hacking group had infected a Saudi petrochemical plant with malware known as Triton or Trisis, which aims to disrupt safety systems.
The attack was the first time an attack on ICS systems was known to have been intended to cause physical damage or loss of life.
Dragos said it detected the group’s expansion of focus in February, with scans of electrical utilities in the US and Asia-Pacific.
It said that so far none of Xenotime’s external scanning and research on electric utilities was known to have resulted in a successful intrusion.
Oil and gas companies remain at risk from Xenotime, Dragos said.
The group’s actions should be “a cause for deep concern given this adversary’s willingness to compromise process safety”, the security firm said.
It said companies operating such equipment should take precautions and work with governments and businesses in other sectors to improve security.
“The time to plan, implement, and enforce security standards and response processes in industrial environments is now,” Dragos said in its advisory.