XENOTIME Threat Group Targeting Electric Utilities in US

The XENOTIME threat group responsible for targeting oil and gas companies with the TRISIS malware in 2017 is now targeting electric utilities in the United States and the Asia-Pacific. The group, attributed by cybersecurity firm FireEye to the Russian government-owned Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), used the TRISIS malware to target Schneider Electric’s Triconex safety instrumented systems (SIS). At that time, XENOTIME researchers believed the group's targets were restricted to organizations in the Middle East. Since at least May 2018, however, Dragos observed the group targeting safety systems other than Triconex at companies around the world. Thus far, it appears no intrusion attempts have been successful. Dragos suggested this behavior may be in preparation for a future cyber-attack as the activity is consistent with reconnaissance efforts. The NJCCIC recommends organizations in the electric sector and other critical infrastructure sectors review the Dragos blog post for additional details and defense recommendations. Organizations are advised to implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep anti-virus/anti-malware, hardware, and software updated.