Can hackers target the US power grid? Apparently yes! Indeed, a group of hackers known as Xenotime, which has targeted Saudi Arabia in 2017 is now going after US and Asian power companies, as reported by Bloomberg.
Computer viruses and other malware rarely evoke the idea of a real danger to human beings. These words most often refer to programs that display advertisements, send junk mail, or slow down our personal computers. However, there are programs that directly target sensitive industrial sites, such as Stuxnet discovered in 2010, that NSA and Israel have allegedly developed to force the shutdown of the Iranian nuclear program. In 2016, Black Energy and CrashOverride viruses attacked electrical installations in Ukraine.
So far, the few malware that have attacked industrial sites have not sought to kill, but lately a group of hackers known as Xenotime–with apparently more deadly intent–has been worrying researchers. The group, suspected to be of Russian origin, group is attempting to compromise more dangerous industrial sites, with the mission of physically destroying the facilities. The virus used by the group was discovered for the first time in 2017 at the Petro Rabigh refinery in Saudi Arabia. The program was named Triton, or Trisis.
According to Maryland-based cybersecurity group Dragos, Xenotime is now probing US and Asian electrical companies to gather information on vulnerabilities. The group has been doing so since 2018 and focuses mostly on on electronic control systems that manage operations at industrial sites.
Another American cybersecurity company, FireEye Inc, has also linked Xenotime to research institution owned by the Russian government, called the Central Scientific Research Institute of Chemistry and Mechanics.
Xenotime is behind the virus known as Triton. One of the special features of Triton is to tackle Schneider Electric’s Triconex safety system. These controllers are designed to deal with failures or failures of the production system. Such an attack could allow the release of highly toxic hydrogen sulphide gas, as well as cause explosions due to high temperatures or pressures.
The Xenotime hackers also appear to be very patient, and take a long time to fully infiltrate the facilities. The group has been operating since 2014, suggesting that they may have implemented code bombs in industrial sites around the world. Manufacturers will therefore have to analyze all installations using Triconex hardware, in search of specific files or suspicious network flows.