Posts

Attacker: Xenotime and Trisis ICS Attacks

Dragos, an information security consulting firm that specializes in industrial control system (ICS) security consulting, reported that the threat actor known as “Xenotime” has expanded its presence in compromising ICS systems beyond the Middle East. In late 2017, FireEye and Dragos reported a threat actor had released TRISIS malware that had targeted a Middle East oil company. The attack resulted in a complete shutdown of the oil and gas facility. Forensics revealed that malware had targeted the safety instrumentation system (SIS) component of a Schneider Electric’s Triconex system that was present within the facility.

Safety instrumentation systems are responsible for taking action on critical situations within industrial control systems. They could be responsible for opening and closing valves or other types of safety systems. Failure of an SIS may result in loss of life or the disruption in the functionality of a facility. This threat actor is suspected to be state sponsored and was attempting to engineer an attack that could be used to cause physical damage in the event of a political conflict. The new revelation from Dragos indicates that the same party that was targeting the Middle East company has now expanded its presence to multiple regions around the world by targeting multiple types of ICS environments. This is very alarming issue since this threat actor is actively attempting intrusions with the intent to cause physical damage to ICS systems that may result in a loss of life or major disruption of critical industrial facilities.

Proficio Threat Intelligence Recommendations:

  • Validate an ICS monitoring solution is in place.
  • Develop special focused monitoring use cases around assets within ICS networks.
  • Monitor for vulnerability advisories from your ICS vendors.

General Info – Click Here