Industrial Cyber Security company Dragos disclosed on May 24th, 2018 that the hacking organization Xenotime’s initial trajectory behind the “strongest” industrial control Trisis malware (also known as Triton and HatMan) has expanded the scope of the attack target
Trisis is the first malware specifically designed for safety instrumented systems. It is also the first malware that can remotely make a civil infrastructure into an unsafe state. It works like Stuxnet and is capable of manipulating the rotational speed of rotating components and may cause the plant to shut down. Or make people hurt.
The great thing about Trisis is that its complete file library is built in five different programming languages and can only be tested on the same industrial device it targets to fully understand the malware. Sources predict that a professional malware development team will also need to spend a year to develop malware that rivals Trisis, which has even stumped analysts from the National Security Agency (NSA). Sufficient to show the potential danger of hacker organization Xenotime.
The Xenotime hacker group may have been active since 2014. In December 2017, the hacker group used a zero-day loophole in the Safety Instrumented System (SIS) of the Schneider Triconex to attack an oil and gas plant in the Middle East, causing the plant to stop operating.
As the hardware and software control system, the safety instrumented system (SIS) is mainly used to protect industrial processes and equipment in nuclear, oil and gas or manufacturing plants. SIS is an important part of the automatic control of factory enterprises. There are currently a few companies in the world that are developing and managing SIS systems, including but not limited to Emerson, Honeywell, and Yokogawa in Japan.
Industrial network security company Dragos after an analysis found that the hacking organization Xenotime has targeted the global organization, the company did not disclose details of the organization’s recent attacks, but pointed out that the hacking organization active in multiple facilities, in addition to Schneider Electric Triconex, is also aimed at other security systems.
According to a former U.S. official, U.S. industrial companies have encountered attacks by the organization, but have not revealed the systems or industrial companies that were recently affected. It is not yet clear how the hacker organization Xenotime has successfully developed and maintained such sophisticated malware.
Dragos has certain assurances that Xenotime intends to establish the necessary visits and capabilities to trigger potentially damaging or even devastating events in the future.
In an attack on the oil and gas plant in Saudi Arabia, the organization created a custom malware framework and a customized credential collection tool, but the misconfiguration issue triggered the security system. The possibility that the gradually mature Xenotime organization will commit such low-level mistakes will be greatly reduced.
