The Highly Dangerous ‘Triton’ Hackers Have Probed the US Grid
From Wired
Excerpt:
On the scale of security threats, hackers scanning potential targets for vulnerabilities might seem to rank rather low. But when it’s the same hackers who previously executed one of the most reckless cyberattacks in history“”one that could have easily turned destructive or even lethal“”that reconnaissance has a more foreboding edge. Especially when the target of their scanning is the US power grid.
Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these hackers, known as Xenotime””or sometimes as the Triton actor, after their signature malware””have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime “easily the most dangerous threat activity publicly known.”
There’s no sign that the hackers are anywhere near triggering a power outage””not to mention a dangerous physical accident””in the US. But the mere fact that such a notoriously aggressive group has turned its sights on the US grid merits attention, says Joe Slowik, a security researcher at Dragos who focuses on industrial control systems and who has tracked Xenotime…SNIP
****************************************************************
And from E&E News
The inside story of the world’s most dangerous malware
Excerpt:
On Aug. 4, 2017, at 7:43 p.m., two emergency shutdown systems sprang into action as darkness settled over the sprawling refinery along Saudi Arabia’s Red Sea coast.The systems brought part of the Petro Rabigh complex offline in a last-gasp effort to prevent a gas release and deadly explosion. But as safety devices took extraordinary steps, control room engineers working the weekend shift spotted nothing out of the ordinary, either on their computer screens or out on the plant floor.The reasons for the sudden shutdown were still buried under zeros and ones, nestled deep within the code of the compromised Schneider Electric safety equipment.Investigators soon discovered a dangerous hacking tool that would usher in a new chapter in the global cyber arms race, much like the Stuxnet worm that damaged Iranian nuclear centrifuges at the start of the decade. The discovery of the Triton malware, named for the Triconex line of safety systems it triggered, echoed from the ancient Saudi city of Rabigh to a research institute in Moscow, and from California to Tokyo.”Worst-case scenario here, you’re dealing with a potential release of toxic hydrogen sulfide gases, a potential for explosions from high pressure, high temperature,” said Julian Gutmanis, a cybersecurity contractor who sources say led the Saudi Arabian Oil Co.’s investigation of the Triton intrusion.”We considered the entire organization to be compromised,” Gutmanis said at the S4 cybersecurity conference in Miami earlier this year, where he declined to name the target facility or even identify his employer. “We had a very sophisticated attacker. We knew that the systems, and the integrity of these systems, can no longer be trusted.”…SNIP
**************************************************************************
Leave a reply →