The Highly Dangerous ‘Triton’ Hackers Have Probed the US Grid

Credit to Author: Andy Greenberg| Date: Fri, 14 Jun 2019 11:00:00 +0000

On the scale of security threats, hackers scanning potential targets for vulnerabilities seems low. But when the hackers in question executed one of the most reckless cyberattacks in history—one that could have had easily turned destructive or even lethal—that reconnaissance has a more foreboding edge. Especially when the target of their scanning is the US power grid.

Over the last several months, power grid-focused security analysts at the Electric Information Sharing and Analysis Center. or E-ISAC, and the critical infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these hackers, known as Xenotime—or sometimes as the Triton actor, after their signature malware—have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime "easily the most dangerous threat activity publicly known."

There's no sign that the hackers are anywhere near triggering a power outage—not to mention a dangerous physical accident—in the US. But the mere fact that such a notoriously aggressive group has turned its sights on the US grid merits attention, says Joe Slowik, a industrial control systems-focused security researcher at Dragos who has tracked Xenotime.

Xenotime has probed the networks of at least 20 different US electric system targets.

"Xenotime has already proven itself willing not only to act within an industrial environment, but to do so in a quite concerning fashion, targeting safety systems for potential plant disruption and at minimum accepting the risk that disruption could result in physical damage and even harm to individuals," Slowik told WIRED. Xenotime's scans of the US grid, he adds, represent initial baby steps toward bringing that same sort of destructive sabotage to American soil. "What concerns me is that the actions observed to date are indicative of the preliminary actions required to set up for a future intrusion and potentially a future attack."

According to Dragos, Xenotime has probed the networks of at least 20 different US electric system targets, including every element of the grid from power generation plants to transmission stations to distribution stations. Their scanning ranged from searching for remote login portals to scouring networks for vulnerable features, such as the buggy version of Server Message Block exploited in the Eternal Blue hacking tool leaked from the NSA in 2017. "It's a combination of knocking on the door and trying a couple of doorknobs every once in a while," says Slowik.

While Dragos only became aware of the new targeting in early 2019, it traced the activity back to mid-2018, largely by looking at the targets' network logs. Dragos also saw the hackers similarly scan the networks of a "handful" of power grid operators in the Asia-Pacific region. Earlier in 2018, Dragos had reported that it saw Xenotime targeting about half a dozen North American oil and gas targets. That activity consisted largely of the same sort of probes seen more recently, but in some cases also included attempts to crack the authentication of those networks.

While those cases cumulatively represent an unnerving diversification of Xenotime's interests, Dragos says that only in a small number of incidents did the hackers actually compromise the target network, and those cases occurred in Xenotime's oil and gas targeting rather than its more recent grid probes. Even then, according to Dragos' analysis, they never managed to expand their control from the IT network to the far more sensitive industrial control systems, a prerequisite to directly causing physical mayhem like a blackout or planting Triton-style malware.

By contrast, in its 2017 attack on Saudi Arabia's Petro Rabigh refinery Xenotime not only gained access to the company's industrial control system network, but took advantage of a vulnerability in the Schneider Electric-made Triconex safety-instrumented systems it used, essentially knocking out that safety equipment. The sabotage could have been the precursor to causing a serious physical accident. Fortunately, the hackers instead triggered an emergency shutdown of the plant—apparently by accident—without any more severe physical consequences.

Whether Xenotime would attempt that sort of Triton-style sabotage against the US grid is far from clear. Many of the victims it has recently targeted don't use safety instrumented systems, though some do use those physical safety systems to protect gear like generation turbines, according to Dragos' Slowik. And grid operators commonly use other digital safety equipment like protective relays, which monitor for overloaded or out-of-synch grid equipment, to prevent accidents.

Dragos says it learned of Xenotime's recent targeting activity largely from its customers and other industry members sharing information with the company. But the new findings came into the public light in part due to an apparently accidental leak: E-ISAC, a part of the North American Electric Reliability Corporation, published a presentation from March on its website that included a slide showing a screenshot of a Dragos and E-ISAC report on Xenotime's activity. The report notes that Dragos detected Xenotime "performing reconnaissance and potential initial access operations" against North American grid targets, and notes that the E-ISAC "tracked similar activity information from electricity industry members and government partners." E-ISAC didn't respond to WIRED's request for further comment.

Dragos has shied away from naming any country that might be behind Xenotime's attacks. Despite initial speculation that Iran was responsible for the Saudi-Arabian targeted Triton attack, security firm FireEye in 2018 pointed to forensic links between the Petro Rabigh attack and a Moscow research institute, the Central Scientific Research Institute of Chemistry and Mechanics. If Xenotime is in fact a Russian or Russia-sponsored group, they would be far from the only Russian hackers to target the grid. The Russian hacker group known as Sandworm is believed to be responsible for attacks on Ukrainian electric utilities in 2015 and 2016 that cut power to hundreds of thousands of people, the only blackouts confirmed to have been triggered by hackers. And last year the Department of Homeland Security warned that a Russian group known as Palmetto Fusion or Dragonfly 2.0 had gained access to the actual control systems of American power utilities, bringing them much closer to causing a blackout than Xenotime has gotten thus far.

Nonetheless FireEye, which performed incident response for the 2017 Petro Rabigh attack and another breach by the same hackers, backs Dragos' assessment that Xenotime's new targeting of the US grid is a troubling development. "Scanning is disconcerting," says John Hultquist, FireEye's director of threat intelligence. "Scanning is the first step in a long series. But it suggests interest in that space. It's not as worrisome as actually dropping their Triton implant on US critical infrastructure. But it’s something we definitely want to keep an eye on and track."

Beyond just the threat to the US grid, Dragos vice president of threat intelligence Sergio Caltagirone argues that Xenotime's expanded targeting shows how state-sponsored hacker groups are becoming more ambitious in their attacks. The number of groups with an ability to hack industrial control systems has grown not only in number but in the scope of their actions, he says. "Xenotime has jumped from oil and gas, from purely operating in the Middle East, to North America in early 2018, to the electric grid in North America in mid-2018," Caltagirone says. "We’re seeing proliferation across sectors and geographies. And that threat proliferation is the most dangerous thing in cyberspace."

https://www.wired.com/category/security/feed/