Cybersecurity and Physical Security

Reports say U.S. electric utilities targeted by cyber hacking group

A cyber hacking group known as Xenotime has probed U.S. electric utilities, according to recent reports in the news media and elsewhere.

Xenotime has been connected to a malware known as Triton/Trisis and, according to E&E News, the North American Electric Reliability Corporation has determined that Xenotime has done “reconnaissance” activities aimed at the U.S. power sector since late 2018.

“The hacking group, infamous for infecting the safety systems of a Saudi petrochemical plant with highly specialized, life-threatening malware two years ago, isn't known to have broken through to the sensitive controls of U.S. power plants or substations,” writes E&E News reporter Blake Sobczak in a June 14 article.

However, “the fact that the attackers behind the ‘Triton’ malware can switch gears from hacking oil companies to electric utilities is significant, experts say, given the group's sophistication and its suspected ties to Russian intelligence agencies,” the article said.

The Association notified members of this threat last year through internal communications. 

In a June 14 blog, Dragos, a cybersecurity firm, said that Xenotime previously focused on oil and gas related targeting. But in early 2019, Dragos identified a change in Xenotime behavior. Specifically, starting in late 2018, Xenotime “began probing the networks of electric utility organizations in the U.S. and elsewhere using similar tactics to the group’s operations against oil and gas companies,” Dragos said in its blog.

“According to Dragos, Xenotime has probed the networks of at least 20 different U.S. electric system targets, including every element of the grid from power generation plants to transmission stations to distribution stations,” Wired magazine reported in a June 14 story on its website.

In its blog, Dragos referenced a 2017 malware attack by Xenotime on a Saudi Arabian oil and gas facility, which Dragos said “represented an escalation of attacks” on industrial control systems. The event “targeted safety systems and was designed to cause loss of life or physical damage” and following that attack, Xenotime “expanded its operations to include oil and gas entities outside the Middle East.”

Dragos said that while none of the electric utility targeting events has resulted in a known, successful intrusion into targeted organizations to date, “the persistent attempts, and expansion in scope is cause for definite concern.”

While electric utility environments “are significantly different from oil and gas operations in several aspects,” Dragos said that electric operations “still have safety and protection equipment that could be targeted with similar tradecraft.”

Xenotime “expressing consistent, direct interest in electric utility operations is a cause for deep concern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its mission,” Dragos said.

For additional information on Xenotime, the Electricity Information Sharing and Analysis Center (E-ISAC) has posted bulletins at the following links:

March 1: https://www.eisac.com/portal-home/document-detail?id=118710

June 14: https://www.eisac.com/portal-home/cyber-bulletin-detail?id=119618

The Association encourages members to monitor the E-ISAC portal alerts to gauge the potential impact and actions to be taken.

To sign up for the portal, email [email protected], visit www.eisac.com, or call 202-790-6000.