The so-called Xenotime threat group, known for attacks on industrial control systems (ICS), has broadened the scope of its attacks to include U.S. companies.
Using a variant of the Trisis malware, which was used in a 2017 attack in Saudi Arabia, Xenotime is aimed at the safety instrumental control systems that safeguard industrial systems in energy and manufacturing plants, according to Dragos.
“We're not surprised to hear that there's evidence of this threat actor moving to target safety-instrumentation-systems in facilities worldwide, including in the U.S.,” said Emily S. Miller, director of national security and critical infrastructure programs at Mocana. “SIS devices are known as the last line of defense in a process, and a compromise in a system of this type could impact not only the safety of a facility, but also the integrity and reliability of the process itself.”
Xenotime, according to a Dragos blog, “is easily the most dangerous threat activity publicly known” and “is the only activity group intentionally compromising and disrupting industrial safety instrumented systems,” which the company said could lead to scenarios that cause environmental damage or result in loss of life.
“This activity is a BIG DEAL and should be treated as such,” said Miller. “Over and over, we hear from critical infrastructure operators that, though they take security seriously, they are waiting ‘for the big one' to occur before they make the kind of investments needed to radically change the approach to securing their infrastructure. Well, here it is -- the waiting is over.”
While current threat activity dictates monitoring and detection are key, she said, “to actually prevent this kind of activity in the future, we, as an industry, must change” and include essential security like hardened code and tamper resistance on devices.“If this doesn't change, and we can't embed military-grade security into devices, we'll unfortunately continue to see an escalation of attacks on the most mission-critical devices and infrastructure.”
