XENOTIME Cyber Threat Group Behind TRISIS Expands Targeting

XENOTIME, the cyber threat group behind the TRISIS malware, is shifting and expanding their targeting, according to cybersecurity firm Dragos. TRISIS, also known as TRITON, is a family of malware specifically designed to target industrial control system (ICS) components, particularly Schneider Electric’s Triconex Safety Instrument System (SIS) controllers. When cybersecurity researchers first reported on the malware back in December 2017, it had successfully infected a network in the Middle East; however, the malware failed to execute properly. While their initial targets were based in the Middle East, the group operates globally, and intelligence suggests the group is targeting safety systems beyond Schneider Electric’s Triconex and in multiple facilities. Dragos is moderately confident that XENOTIME is seeking access to systems and capabilities to carry out a future disruptive or destructive attack. The NJCCIC recommends critical infrastructure owners and operators review the recent blog post and original TRISIS report from Dragos and the TRITON report from FireEye, scan networks using the IOCs provided, and apply the recommendations to reduce the cyber risk posed by this threat. The NJCCIC threat profile on TRISIS/TRITON can be found here.