A known threat group targeting industrial safety systems in the Middle East is using similar attacks on industrial systems in the United States, according to new research from Dragos. The Xenotime group has been labeled the most dangerous threat activity group because it is the only group intentionally compromising and disrupting industrial safety instrumented systems.
Though Dragos has not identified the specific targets of the latest attack on industrial controls systems in the US, it has reported that the attacks resembles the Russian attack on US critical infrastructure reported by US-CERT earlier this year, noting that the malware shows similarities to Trisis, which was used in an attack last year in Saudi Arabia.
In a 24 May blog post, Dragos wrote, “Industrial safety systems are highly redundant and separate controls which override and manage industrial processes if they approach unsafe conditions such as over-pressurization, overspeed, or over-heating. They enable engineers and operators to safely control and possibly shutdown processes before a major incident occurs. They’re a critical component of many dangerous industrial environments such as electric power generation and oil and gas processing.”
In the December 2017 attack on Schneider Electric’s Triconex safety instrumented system, attackers moved between networks using credential capture and replay after it configured the malware based on the functions of the system within the industrial control (ICS) environment. The level of sophistication noted in the Trisis malware framework indicated that the group had a deep knowledge of the Triconex infrastructure and processes.
“This means it’s not easy to scale—however, the malware provides a blueprint of how to target safety instrumented systems. This tradecraft is thus scalable and available to others even if the malware itself changes. Dragos’ data indicates XENOTIME remains active,” Dragos wrote.
“Both attacks started with social engineering to persuade employees to open phishing emails or visit watering hole websites. Attackers then gained administrative access to IT networks, from which they’ve identified IT/OT touch points to make their way into industrial control systems,” said Oren Aspir, CTO at Cyberbit.
Most ICS attacks leverage IT/OT convergence, which is why Oren said that companies managing industrial control networks should abandon the assumption that IT and OT can be fully segregated. “Start treating OT security at the same level of seriousness as they approach IT security. It starts with obtaining visibility in your OT network. Today organizations can deploy, within days, solutions for OT visibility and detect anomalies. These could have easily detected this attack.”