The hacking threat to critical infrastructure in the United States and beyond is growing larger, with nation states and other malicious actors looking to gain a foothold in sensitive technologies to conduct espionage and potentially stage disruptive or destructive attacks.
Dragos, a firm that specializes in industrial cybersecurity, has released new research asserting that a hacker group responsible for deploying highly sophisticated, destructive malware to an industrial plant in the Middle East last year has begun to expand its operations beyond its initial targets.
“This is no longer about data theft or business disruption. Someone can get hurt. It’s about physical consequences,” said Dan Scali, senior manager for FireEye’s industrial control system security consulting practice.
Last week, researchers at Dragos released new details about a threat group they call Xenotime. They said the group has developed hacking tools to compromise and disrupt industrial safety instrumented systems — hardware and software controls that are used to ensure the safe operations of large-scale nuclear, chemical and other industrial plants and allow for emergency stops to take place.
The group, whose origins are not publicly known, deployed malware to an industrial plant in the Middle East last year that specifically targeted Triconex safety systems manufactured by Schneider Electric. The attack caused the plant to shut down.
Now Dragos says that the actors have expanded their operations, making their way into networks of industrial organizations beyond the Middle East. The group has also demonstrated capabilities to potentially disrupt safety systems other than Triconex.
The developments have raised concerns that Xenotime could be moving to carry out destructive attacks, such as triggering chemical explosions.
“It is the most dangerous cyber threat in the world, period,” said Sergio Caltagirone, director of threat intelligence at Dragos.
“Really, there has been no malware in the world so far that has actually put lives at risk, demonstrably,” Caltagirone said. “This adversary is.”
Dragos has provided little technical details about the group’s behavior and has not divulged the countries now affected by the activity, though CyberScoop reported that U.S. companies were among those breached. Dragos said it has alerted U.S. officials and other foreign governments to the threat.
The Department of Homeland Security, which is responsible for engaging with owners and operators of critical infrastructure to help them guard against cyber sabotage, did not return a request for comment.
Concerns about cyber threats to critical infrastructure from nation states like Russia have been mounting in Washington, particularly in light of twin attacks that knocked out power in Ukraine in 2015 and 2016.
Industrial organizations have stepped up monitoring of their control networks to detect potentially nefarious activity, offering security professionals new insight into malicious actors looking to target critical infrastructure systems around the globe.
“It’s hard to say that we’re seeing specifically a trend because we are working with small numbers,” Scali said.
“But we’ve seen an escalation in attackers' capability and also willingness to conduct these types of attacks over time,” Scali added.
Forms of malware specifically designed to target industrial systems — used to power elements of the electric grid, water systems and other critical services — are rare. The malware associated with Xenotime was only the fifth known malware family targeting these systems since the Stuxnet virus was used against Iranian nuclear power plants in 2010.
Both FireEye and Dragos identified the malware in December. While researchers have not publicly identified the breach victim, The New York Times reported it was a petrochemical plant in Saudi Arabia. While the attack inadvertently caused operations at the plant to shut down, experts warn the consequences could have been far worse.
“If you’re attacking the safety instrumented system and trying to make changes to how it operates, you’re trying to hurt or kill someone, damage equipment, cause some other physical consequence or impact on the environment,” Scali said. “There’s a level of audacity around attacking a safety system.”
The activity associated with Xenotime has not been traced to a particular country, though experts suspect the group is linked to a nation state. Private actors don’t have the financial incentive to stage destructive attacks, nor do they possess the significant resources that are needed to hone such capabilities.
Dragos also suspects that the hackers are working with another, unidentified hacking group that first gained access to industrial networks through spearphishing and watering hole attacks and then passed that access to Xenotime.
In most cases, hackers spent between nine months and multiple years inside these networks, conducting intelligence on industrial operations, Caltagirone said.
“Basically, they are learning to become operators themselves inside this environment,” he said.
There have been other signs of nation-state cyber actors conducting reconnaissance on systems powering critical services.
In March, U.S. officials revealed that Russian hackers had staged a multiyear intrusion campaign against companies in the energy sector and other critical services.
In some cases, hackers gained access to energy sector networks and moved laterally in order to gather intelligence on industrial control systems and supervisory control and data acquisition systems — information that could provide a foundation for developing capabilities to stage attacks against targets in the energy sector.
“You need not only to compromise the systems, you also need knowledge of the industrial process,” Scali said. “The more information and reconnaissance that you can do ahead of time … that makes the attacker’s job easer and fills in that missing information that a hacker would need to cause a physical disruption.”
Dragos will release research on Thursday detailing the activities of a threat group the firm calls Covellite, which has breached networks associated with electric companies in Europe, East Asia and North America to gather intelligence on internal industrial operations.
Last September, the group carried out a spearphishing campaign against a small number of U.S. electric companies, though researchers say the hackers have significantly scaled back operations against North American targets.
The hacker group’s techniques have the hallmarks of those used by North Korea’s army of hackers, a force known to U.S. officials as Hidden Cobra, though it is unclear exactly how the two are related.
As adversaries continue to evolve in cyberspace, officials are on high alert for attacks that could compromise critical services. Jeanette Manfra, a top Homeland Security cybersecurity official, told The Hill earlier this year that she is keenly focused on working with industry to prevent attacks that could disrupt essential services, from the financial sector to the electric grid.
“I really believe that that is where the risk is,” Manfra said.
Meanwhile, experts anticipate an uptick in cyber activity targeting industrial control systems going forward.
“The ability to affect industrial control systems as part of a potential cyber war and larger kinetic or digital war environment is very high up on the list of many countries,” said Caltagirone. “We expect that, not only is our ability to find them going to get better … but we also know that there is going to be more adversaries entering in this space in the mid- to long-term.”