XENOTIME rose to prominence in December 2017 when Dragos and FireEye jointly published details of TRISIS (also known as TRITON, the focus of the MITRE Engenuity ATT&CK® Evaluations for ICS) destructive malware targeting Schneider Electric’s Triconex safety instrumented system.
https://www.dragos.com/threat/xenotime/
MITRE report https://attack.mitre.org/groups/G0088/
Oct 23, 2020
WHEN MYSTERIOUS HACKERS triggered the shutdown of a Saudi Arabian oil refinery in August of 2017, the subsequent investigation found that the malware used in that attack had unprecedented, uniquely lethal potential: It was intended to disable safety systems in the plant designed to prevent dangerous conditions that could lead to leaks or explosions. Now, three years later, at least one Russian organization responsible for that callous cyberattack is being held to account.
Today the US Treasury imposed sanctions on Russia’s Central Scientific Research Institute of Chemistry and Mechanics, the organization that exactly two years ago was revealed to have played a role in the hacking operation that used that malware known as Triton or Trisis, intended to sabotage the Petro Rabigh refinery’s safety devices. Triton was designed specifically to exploit a vulnerability in the Triconex-branded “safety-instrumented systems” sold by Schneider Electric. Instead, it triggered a failsafe mechanism that shut down the Rabigh plant altogether.
The hackers who deployed Triton, given the name Xenotime by the industrial cybersecurity firm Dragos, have also probed US power grid targets, according to Dragos and the Electric Information Sharing and Analysis Center, scanning for points of entry into the networks of American utilities.
https://www.wired.com/story/russia-sanctions-triton-malware/
Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
https://home.treasury.gov/news/press-releases/sm1162
References https://malpedia.caad.fkie.fraunhofer.de/actor/xenotime
We have to wait for the report, but it is not unlikely that this group was responsible.
Ukraine ping
People have apocalyptic visions of American retaliation. In real life, various countries have done all kinds of things without any serious response. And it’s not even unique to the US. Here’s a list of things where either no or minimal response resulted:
(1) the attack on the Panay by Imperial Japan
(2) the taking of the Pueblo by North Korea
(3) the taking of the Mayaguez by Cambodia
(4) the Russian shootdown of KAL007 in 1983, which killed a
Congressman and 63 Americans
(5) the downing of Pan Am 103 by Libya in 1988 which killed 190 Americans
(6) the 1993 attack on the World Trade Center by bin Laden
Taking out an oil pipeline is a footnote, relative to those other things. And many of these other countries lacked any serious ability to retaliate if the US decided to, for instance, burn their hometowns to the ground.
Update by AdmSmith:
https://www.dragos.com/threat/xenotime/
MITRE report https://attack.mitre.org/groups/G0088/
Oct 23, 2020
WHEN MYSTERIOUS HACKERS triggered the shutdown of a Saudi Arabian oil refinery in August of 2017, the subsequent investigation found that the malware used in that attack had unprecedented, uniquely lethal potential: It was intended to disable safety systems in the plant designed to prevent dangerous conditions that could lead to leaks or explosions. Now, three years later, at least one Russian organization responsible for that callous cyberattack is being held to account.
Today the US Treasury imposed sanctions on Russia’s Central Scientific Research Institute of Chemistry and Mechanics, the organization that exactly two years ago was revealed to have played a role in the hacking operation that used that malware known as Triton or Trisis, intended to sabotage the Petro Rabigh refinery’s safety devices. Triton was designed specifically to exploit a vulnerability in the Triconex-branded “safety-instrumented systems” sold by Schneider Electric. Instead, it triggered a failsafe mechanism that shut down the Rabigh plant altogether.
The hackers who deployed Triton, given the name Xenotime by the industrial cybersecurity firm Dragos, have also probed US power grid targets, according to Dragos and the Electric Information Sharing and Analysis Center, scanning for points of entry into the networks of American utilities.
https://www.wired.com/story/russia-sanctions-triton-malware/
Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
https://home.treasury.gov/news/press-releases/sm1162
References https://malpedia.caad.fkie.fraunhofer.de/actor/xenotime
We have to wait for the report, but it is not unlikely that this group was responsible.]