ADVERTISEMENT

Hackers That Took Down Saudi Oil Site Probing U.S. Grids

Hackers That Took Down Saudi Oil Site Probing U.S. Power Grid

(Bloomberg) -- A group of hackers that shut down a Saudi Arabian oil and natural gas facility in 2017 is now targeting electric utilities in the U.S. and Asia, according to cyber-security company Dragos Inc.

The group, Xenotime, has been probing utilities since late 2018, Hanover, Maryland-based Dragos said in a blog post Friday. It has focused mostly on electronic control systems that manage operations at industrial sites, Dragos said.

Cyber-security firm FireEye Inc. has linked the group to a research institution in Moscow owned by the Russian government, called the Central Scientific Research Institute of Chemistry and Mechanics. Xenotime is one of few groups in the world to use malware tailored to industrial control systems, said Benjamin Read, a FireEye senior manager.

A spokesman for the Russian embassy in Washington did not immediately respond to a request for comment.

U.S. officials have long warned grids are vulnerable to cyber attacks. Disrupting a region’s electrical infrastructure could cause widespread chaos, triggering blackouts and crippling financial markets, transportation systems and more.

“Most hackers in the world don’t want to kill people," Sergio Caltagirone, Dragos’s vice president of threat intelligence, said in an interview. But Xenotime’s track record suggests it’s “one of the things they’d like to do."

Dragos’s blog said the attackers appear to be probing for weaknesses in the U.S power systems -- a step less serious than an actual attack -- and there is so far no evidence of “a known, successful intrusion.”

The research by Dragos indicates “very early stage” activity, said Read of FireEye. It “doesn’t inherently mean that Russia is going to want to turn out the grid next week or even that they have made the decision to do that when they are ready,” he said.

The hacking group gained notice after a 2017 malware attack on a Saudi Arabian petrochemical facility, Dragos said. The attackers targeted safety systems to cause “loss of life or physical damage,” according to the blog post.

Xenotime is the only group Dragos has seen target different industrial sectors. “The cost and resources to move between sectors is huge,” Caltagirone said. The group’s nearly yearlong probe of utilities, he said, “shows more than a passing interest.”

--With assistance from Michael Riley.

To contact the reporters on this story: Will Wade in New York at wwade4@bloomberg.net;Alyza Sebenius in Washington at asebenius@bloomberg.net

To contact the editors responsible for this story: Lynn Doan at ldoan6@bloomberg.net, Joe Ryan, Pratish Narayanan

©2019 Bloomberg L.P.