These hacking groups are eyeing power grids, says security company

Cybersecurity company warns that hackers are investigating industrial control systems associated with power infrastructure.

Triton malware: Lessons learned for a safer network

At least three hacking groups have the capability to interfere with or disrupt power grids across the US – and the number of cyber-criminal operations targeting electricity and other utilities is on the rise, according to a new report on the state of industrial control systems.

Cyber security company Dragos said that political and military tensions in the Gulf appear to coincide with a rise in interest in hacking groups targeting electricity grids, power companies and other systems related to utilities in the US.

"The threat landscape focusing on electric utilities in North America is expansive and increasing, led by numerous intrusions into ICS networks for reconnaissance and research purposes and ICS activity groups demonstrating new interest in the electric sector," warned its North American Electric Cyber Threat Perspective report.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

The report notes that the security researchers are tracking seven groups that target electrical facilities in North America and that three of these have demonstrated the capability to "infiltrate or disrupt" electrical power networks.

While Dragos doesn't attribute which nation states or cyber-criminal groups could be behind these attacks, the company has outlined three operations that show evidence of disruption capabilities: Xenotime, Dymalloy and Electrum.

Xenotime is the hacking group behind the Triton cyberattack that disrupted oil and gas facilities in Saudi Arabia in 2017. This attack was tailored towards Triconex safety controllers and researchers warn that this incident "represented an escalation of ICS attacks due to its potential catastrophic capabilities and consequences".

Since then, Xenotime has expanded activity to include electric facilities in North America, alongside utilities across Europe, Australia and the Middle East. The group has repeatedly demonstrated its ability to access, operate, and conduct attacks in an industrial environment and Dragos believes the group capable of attacks against US-based systems.

Dymalloy is described as a "highly aggressive and capable activity group" with the ability to achieve long-term and persistent access to IT and operational environments for both intelligence-gathering and possible disruption. Victims of the group's hacking campaigns have already been discovered in Turkey, Europe and North America. It's suggested that Dymalloy has links to the Dragonfly hacking group.

SEE: These hacking groups are eyeing power grids, says security company

A third group, Electrum, is also described as "capable of developing malware that can modify electric equipment processes" and ICS protocols. While it mostly focused previous attacks on Ukraine – including causing power outages in winter – it is described as well-resourced and Dragos warn that the group is capable of physically disruptive events. "North American electric utilities should consider Electrum to be a serious threat," warns the paper.

While the report states that there have been some minor improvements in the security of these systems, there's still more to be done.

But simple security practices – like segmenting networks, installing security patches, not using default passwords and requiring two-factor authentication on systems inside industrial environments – could go a long way towards protecting against these kinds of cyberattacks.

MORE ON CYBERSECURITY