Triton malware operators are interested in attacks on power companies

Hacker grouping Xenotime, linked by security experts with malware attacks for the Triton process control system (also known as Trisis and HatMan) in 2017, expanded the list of targets.

Previously, the group’s interests were made up of oil and gas companies, but now the list of objects of attack includes energy companies in the United States and Asia-Pacific countries.

“Attacking any industrial sector requires significant resources, which increases with expansion of capabilities and targeting. High resource requirements previously limited such attacks to a few potential adversaries, but as more players see value and interest in targeting critical infrastructure – and those wgo already invested see dividends from their behaviors – scale of the threat grows”, — Dragos IT-company experts tell.

Xenotime has been active since 2014, but it became famous only in 2017 after attacks on oil and gas companies in Saudi Arabia. Attackers used Triton malware designed to attack Schneider Electric Triconex security systems. The attack was discovered after failures in a number of industrial systems, which, according to experts, arose because of the negligence of hackers.

Initially, the group attacked only oil and gas enterprises in the Middle East, however, according to information security company Dragos, Xenotime is now interested in energy companies in the United States and Asia-Pacific. According to the researchers, all attempts attacks were unsuccessful and the attackers could not penetrate networks of the target organizations.

Such behavior may indicate that the group is preparing for further cyberattacks, conducting reconnaissance and trying to get into the network using credential substitution attacks or using stolen logins/passwords, according to Drago.

“While none of the electric utility targeting events has resulted in a known, successful intrusion into victim organizations to date, the persistent attempts, and expansion in scope is cause for definite concern. XENOTIME has successfully compromised several oil and gas environments which demonstrates its ability to do so in other verticals”, — warn Dragos experts.

Recalling that in October last year, FireEye published a report in which suggested that developers from the Russian Federation might be involved in creating Triton malware.

Source: https://dragos.com/blog