XENOTIME: the APT threatening critical infrastructure
June 2019 by Panda Security
These days, cybercrime affects all kinds of businesses. This year alone, we’ve seen cyberattacks carried out against city halls, aluminum producers, and even such well-known companies as Amazon. All of these incidents have grave consequences for the victims, from reputational damage and interruptions in the production chain, to paralyzing the whole business and incurring hefty fines.
Without a doubt, there is one sector that is particularly vulnerable: critical infrastructure. A cyberattack that affected a country’s water supply, or that interrupted service in a hospital, could even cause loss of life. XENOTIME: a threat to Industrial Control Systems
Last year we asked what would happen if an attack interrupted a country’s power supply. Now it seems that this situation could become a reality.
XENOTIME is an APT (Advanced Persistent Threat) that has alleged links with Russia. It rose to notoriety when it carried out an attack on the industrial control systems of a Middle Eastern oil company using a piece of malware that managed to interfere with the company’s safety instrumented system (SIS). As of today, it is still one of the few pieces of malware that has managed to impact the physical process of an ICS.
After this incident, XENOTIME began to attack companies outside the Middle East, and even managed to compromise several ICS vendors, potentially enabling a supply chain attack.
Now, researchers at an industrial cybersecurity company have seen that XENOTIME has started to probe the networks of electric utility companies in the United States and Asia-Pacific, looking for information and enumerating the network resources associated with these companies.
The researchers explain that this behavior could indicate that the group is preparing another cyberattack, or at least is preparing the prerequisites for future ICS infiltration. These activities are consistent with the first phase of the ICS Cyber Kill Chain, including authentication attempts with credentials or possible attempts at credential stuffing.
A change of tactic
This change of target is unusual among APTs that attack ICS. These attacks are complex and expensive, which means that groups tend to focus their efforts on one sector and one geography – oil companies in the Middle East, for example. The fact that XENOTIME is investing in diversifying its activities and its geographic scope could be a harbinger of a future in which APTs have much larger ranges.
Critical infrastructure is vulnerable
In 2018, vulnerabilities in critical infrastructure increased 14% compared to the previous year, and the number of vulnerability warnings is predicted to keep rising in 2019. In fact, in the last two years, 90% of critical infrastructures have been hit by at least one cyberattack.
The US Department of Energy is aware of how vulnerable their system could be. This is why in 2016 they carried out “Liberty Eclipse”, a simulation of a cyberattack that caused blackouts in eight states. The Department wanted to test responses to this type of incident, as well as to engage employees in discussions about preparations for cyberincidents. How to curb cyberattacks on critical infrastructure
This kind of simulation is a very good way of understanding how a company would react to a cyberattack of this scale. In order to ensure that they are protected, these companies need to follow a series of recommendations.
1.- Analysis of weak points. It is important that organizations carry out an in-depth analysis of their systems in order to know them in detail. This way, they will be able to detect any vulnerabilities or weak points. As well as protecting these points, the heads of cybersecurity must give them priority in their security plans, and even consider the possibility of isolating them if they pose a serious risk.
2.- Automatic reaction. When a cyberthreat appears, time is of the essence. While stopping a cyberattack from getting onto the system is the priority, it is also essential to have action protocols and automatic responses to solve any problem if it becomes unavoidable.
3.- Constant monitoring. The best way to stop any threat from affecting our systems is to know exactly what is happening on them at all times. Panda Adaptive Defense monitors all processes that are running on a system in real time. It detects any unusual activity, and stops unknown processes from running. This way, it can stop any danger before it can happen