U.S. industry experts call for vigilance after Trisis group goes global

U.S. critical infrastructure operators should be on high alert — with a close eye on network anomalies — following the revelation that a hacking group that caused a Saudi industrial plant to shut down last year is targeting facilities outside of the Middle East, industry experts told CyberScoop.

“Detecting these types of advanced, stealthy threats requires extraordinary visibility into your OT [operational technology] network,” said Marty Edwards, former head of the Department of Homeland Security’s Industrial Control Systems (ICS) CERT. “Unfortunately, not all U.S. critical infrastructure asset owners are at that level of maturity.”

The hacking group’s expanded operations mean that U.S. infrastructure operators “should no longer remain complacent in thinking that this is just an issue somewhere else in the world,” Edwards added.

The developers of the Trisis malware, which is designed to ravage the control systems that allow plants to safely shut down, have attacked multiple U.S. companies, CyberScoop reported early Thursday. ICS cybersecurity company Dragos had reported that the hacking group had expanded beyond the Middle East, but did not say where its targets were.

The so-called Xenotime group represents “easily the most dangerous threat activity publicly known,” Dragos said in a blog post. “It is the only activity group intentionally compromising and disrupting industrial safety instrumented systems, which can lead to scenarios involving loss of life and environmental damage.”

Rob Lee, Dragos’s founder, said Xenotime demanded the close attention of ICS security hands because the hacking campaign is active and against more than one vendor.

The group has been able to breach organizations’ IT systems via phishing emails or “watering hole” websites aimed at industrial engineers. With the IT network compromised, the hackers would linger undetected for weeks or months, looking for a weak link to the OT network.

Attackers that plant malware on an IT network can have any number of motivations, from intelligence gathering to financial crime, “but once you find malware on those safety systems, you really get into a different level of threat,” Neil Jenkins, chief analytic officer of the Cyber Threat Alliance told CyberScoop.

Mitigating that type of advanced attack requires detecting anomalous network activity and then clamping down on the ability of compromised devices to communicate with each other, Jenkins said.

Getting the word out

In a statement, DHS spokesman Scott McConnell said the department is aware of the new Dragos report and pointed to a previous DHS threat advisory on the Trisis malware. The April 10 advisory notes that several vendors have added the ability to detect network traffic initiated by Trisis. “Although this may not specifically prevent an attack, it would allow for an early warning that the malware might exist on a particular network or safety system,” the document states.

But such network-related signatures would only help detect variations of Trisis malware. McConnell did not comment on whether DHS planned to issue another advisory based on the new Dragos assessment – or if it already had.

Xenotime’s consistent targeting of safety systems is a “landmark shift” in attacker behavior that few anticipated, according to Jimmy Wylie, a senior adversary hunter at Dragos. ICS owners are certainly capable of detecting and defending against the new safety-system attacks, he added, but that requires grasping the full scope of the systems now in hackers’ crosshairs.

“As defenders, we have to be forward looking, learn the protocols these other vendors are using, and develop the requisite analytics to detect modification to those other safety systems,” Wylie told CyberScoop. “Given that TRISIS’s discovery is still fairly recent, it’s doubtful that vendors have built detections for all safety systems.”

ICS-CERT has in the past sent response teams to support infrastructure firms being assailed by advanced hackers. Edwards, who is now managing director of the Automation Federation, said that he hopes DHS is “providing boots on the ground to assist as needed” companies that are grappling with the Xenotime attacks.

“As threats like this start to penetrate U.S. critical infrastructure companies need to reevaluate their risk tolerance,” he added, perhaps by shifting “more investment towards detection and response rather than a solely cyber hygiene-based approach.”

Jenkins, who is also a former senior DHS cybersecurity official, said the department would strive to get new unclassified information on Xenotime to the ICS vendors being attacked, and– if necessary – use classified channels to warn of the threat. But the latter move could be challenging, and reach a limited audience, given the apparent dearth of security clearances in the private sector.

Regardless, the severity of the threat means DHS’s cybersecurity teams will look to leverage the closer relationships they have sought with critical infrastructure companies.

If government and private-sector personnel clearly identify the “critical functions” that infrastructure operators rely on to deliver services, the government can do a better job of warning companies of “any adversary attempting to disrupt those services and functions,” Jeanette Manfra, DHS’s top cybersecurity official, said in a speech Tuesday.

UPDATE, 06/01/2018: This story has been updated with perspective from Jimmy Wylie, a senior adversary hunter at Dragos.