Xenotime, the notorious group behind the Triton malware designed to disable safety systems at petrochemical plants, has started to do reconnaissance at electric utilities, including those in the U.S, according to industrial systems cybersecurity firm Dragos.
Why it matters: Triton, also called Trisis, was designed to be not only destructive, but be destructive in a way that could kill people. In fact, there are only three other groups known to successfully, deliberately disrupt industrial control systems.
- To be clear: We don't know that any U.S. electric utilities have been breached. Trisis has been observed doing some of the slow, deliberate groundwork to launch an attack.
Background: Triton was first seen in an attack a Saudi petrochemical facility. It hasn't been seen in any subsequent attack, though the same group behind the attack has still been active.
- Because industrial control system attacks need to be extensively targeted against highly specialized equipment, this is believed to be the first time an attacker group switched from one sector to another — petrochemical to electricity.
- While there are links between one component of the malware and a Russian research organization, no one has formally linked the malware to the Russian government. Hackers can be hired, borrow code or copy it from previous attacks.