Security of critical infrastructure, cyber warfare / nation state attacks, fraud management and cybercrime
Dragos: Trisis Malware Creator goes beyond the oil and gas industry
Scott Ferguson (Ferguson_Writes) •
June 17, 2019
Xenotime, a threat group that previously focused on targets in the oil and gas industry, is now focusing on power plants and utilities, creating new challenges for security teams tasked with protecting systems from industrial control, reports the security company Dragos.
See also: Automate security operations
This shift from the oil and gas sector to power plants is recent, with researchers noting the change for the first time in February. Additionally, investigators discover that Xenotime was targeting targets in the United States as well as the Asia-Pacific region, Dragos reports in a research note released Friday.
So far, it does not appear that the Xenotime Group has successfully carried out a large-scale operation against any of these power plants, but its behavior since February shows that the group is preparing for a large-scale intrusion of the systems. industrial controls that control these power plants, finds the Dragos research.
“At this time, Dragos cannot determine what the ultimate goal of Xenotime is by examining targets in the US power sector,” Joe Slowik, an adversary hunter at Dragos, told Information Security Media Group.
“Given that Xenotime is among the small number of entities that have demonstrated both the willingness and the ability to launch a physically disruptive attack in ICS environments, our assessment at this time is that Xenotime is seeking sufficient knowledge and access into utility networks to enable a potential future power utility disruptive event, which may include physical destruction, ”adds Slowik.
Dragos declined to identify who could have created or used the malware.
The Dragos analysis of Xenotime’s new lenses comes as The New York Times reported on Saturday that the US military was starting to increase the number of line incursions into Russia’s power grid system that have the potential to disrupt power to that country.
New type of threat
The ability to use malicious code to successfully disrupt industrial control systems, which run technology used in advanced manufacturing, pharmaceuticals, power generation, oil and gas, and power plants, is relatively new because it requires significant technical know-how, as well as money and time, to develop such attacks (see: How Triton Malware targets industrial control systems).
Although some threat groups have attempted to attack these systems in the past, that changed in 2017, when an oil and gas company in Saudi Arabia was hit with malware called Trisis or Triton, according to security researchers.
In this case, the malicious code targeted the controllers of the facility’s Triconex safety instrumented system, which are developed by Schneider Electric, according to a study published by FireEye, who worked with Dragos to investigate the incident.
These Safety Instrumented System Controllers are designed as a safety control for critical machines within these industrial facilities. Interference with these controllers could cause massive damage to a plant or trigger a complete shutdown. However, the 2017 incident in Saudi Arabia failed after attackers made a series of mistakes, according to FireEye and other security analysts.
There are several reasons why power plants and power grids have become more susceptible to malware like Trisis or Triton, says Nathan Wenzler, senior director of cybersecurity at Moss Adams, an accounting, consulting and management company. Seattle-based heritage. In many cases, these facilities have started to connect previously isolated systems to the public Internet in order to adopt technologies such as the Internet of Things (see: Spyware penetrates isolated networks).
These operational computer networks increasingly resemble traditional computer networks, with industrial companies adopting the same types of software and services that are used in enterprises, Wenzler explains.
“Culturally speaking, these companies are used to working in isolated, isolated and completely autonomous environments,” Wenzler told ISMG. “Now they are connected to the Internet to enable remote monitoring and management to provide a single, real-time view of operations, increasing efficiency and response time. Which sounds good, but it also presents all the challenges of cyber attacks. come up with this type of technology. And if you are an organization that has never had to deal with this problem before, or that has built entire operating processes around the notion that your systems would be completely isolated from the outside world, this is going to be a massive change in. the way you do business and will create culture shock for many involved. “
Although Dragos research reveals that Xenotime is likely the group responsible for the incident in Saudi Arabia, it is not clear whether the attackers developed the capacity to carry out another, larger-scale industrial attack on a power plant.
Security researchers, however, are still learning about Xenotime and its motivations.
In 2018, FireEye released a second report on the Trisis or Triton malware, linking it to the Moscow-based Central Institute for Scientific Research in Chemistry and Mechanics, a government-owned research and engineering facility. This research note, however, does not use the name Xenotime to identify the group behind this particular strain of malware.
In its new research report, Dragos does not tie the group to any particular country. But Slowik told the ISMG that in order to carry out a sophisticated attack on a power plant, Xenotime would need the support of a nation state, especially when it comes to funding and resources.
“Xenotime has proven to be able to acquire, reverse engineer, and develop attack packages for industrial control system equipment – all stages requiring a level of effort and resources typically beyond reach independent entities, but most often found in laboratories or other state-sponsored activity, ”Slowik says.“ Given the demonstrated capacity of the group, Xenotime almost certainly relies on some level of state support. “
Method of attack
The exact techniques used by Xenotime are still under investigation, but Dragos says that in some cases it appears the group is trying to use administrative passwords and stolen credentials to kick start the recognition phase and begin. to map the network.
This kind of brute force credential stuffing technique is also used by other groups to target this kind of industrial networks, Slowik explains.
“Dragos has identified a persistent trend among all ICS targeting entities where adversaries are focused on capturing and reusing credentials to facilitate both initial network access and lateral movement, including in the ICS environment. Slowik told ISMG. “This approach is beneficial because it avoids the potential ‘noise’ and disruption of exploits while allowing an attacker to ‘blend in’ with legitimate traffic. This same trend has also occurred in computer intrusions, but is particularly prevalent in ICS intrusions due to password reuse and things like hard-coded vendor passwords on some systems. “
For operators of these power plants, Slowik recommends increasing visibility into the types of industrial control systems they use.
“The primary step that owners and operators of ICS assets can take to improve security is to increase visibility into ICS networks and associated processes, while incorporating the ability to detect, respond to and recover from intrusions. Slowik adds.