Sign up for our daily briefing
Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Catch up on coronavirus stories and special reports, curated by Mike Allen everyday
Denver news in your inbox
Catch up on the most important stories affecting your hometown with Axios Denver
Des Moines news in your inbox
Catch up on the most important stories affecting your hometown with Axios Des Moines
Minneapolis-St. Paul news in your inbox
Catch up on the most important stories affecting your hometown with Axios Twin Cities
Tampa Bay news in your inbox
Catch up on the most important stories affecting your hometown with Axios Tampa Bay
Charlotte news in your inbox
Catch up on the most important stories affecting your hometown with Axios Charlotte
Photo: YinYang via Getty Images
Xenotime, the notorious group behind the Triton malware designed to disable safety systems at petrochemical plants, has started to do reconnaissance at electric utilities, including those in the U.S, according to industrial systems cybersecurity firm Dragos.
Why it matters: Triton, also called Trisis, was designed to be not only destructive, but be destructive in a way that could kill people. In fact, there are only three other groups known to successfully, deliberately disrupt industrial control systems.
- To be clear: We don't know that any U.S. electric utilities have been breached. Trisis has been observed doing some of the slow, deliberate groundwork to launch an attack.
Background: Triton was first seen in an attack a Saudi petrochemical facility. It hasn't been seen in any subsequent attack, though the same group behind the attack has still been active.
- Because industrial control system attacks need to be extensively targeted against highly specialized equipment, this is believed to be the first time an attacker group switched from one sector to another — petrochemical to electricity.
- While there are links between one component of the malware and a Russian research organization, no one has formally linked the malware to the Russian government. Hackers can be hired, borrow code or copy it from previous attacks.