The group behind Trisis has expanded its targeting to the U.S. electric sector

ICS security firm Dragos has briefed over 20 utilities on the new activity.

The notorious hacking group behind the Trisis malware, which is designed to disrupt industrial safety systems, has expanded its targeting to include U.S. electric utilities, according to new research.

The group, known as Xenotime, most famously deployed the Trisis malware on a Saudi petrochemical plant in the summer of 2017, forcing it to shut down. But starting in late 2018, according to analysts at industrial cybersecurity company Dragos, Xenotime went beyond its focus on oil and gas sector to probe the networks of electric utilities in the U.S. and elsewhere.

“While there is no evidence at this time that Xenotime has successfully breached any of the entities it has probed in U.S. electric utilities, the fact that this actor – which has already demonstrated the willingness and capability to execute a disruptive ICS [industrial control system] attack – is now actively gathering information on electric utilities is deeply concerning,” Joe Slowik, an adversary hunter at Dragos, told CyberScoop.

The recent Xenotime activity against American electric utilities includes gathering open-source information, scanning networks and “likely probing for vulnerable, external-facing services,” Slowik said. “While very early in the intrusion lifecycle, these all represent necessary prerequisites for follow-on intrusion attempts and are precursors to further activity.”


The recent activity did not include deploying the actual Trisis malware, a sophisticated package of code that had the security world spooked when it first surfaced.

Slowik said Dragos had briefed over 20 utilities on the new Xenotime activity. Most of them are in the United States but some are in the Asia-Pacific region, where activity from Xenotime was detected starting in late 2018. In May 2018, CyberScoop reported that Xenotime had expanded its operations to include targeting U.S. industrial firms. That activity covered the oil and gas sector, whereas the more recent probing from Xenotime has been of electric utilities. Dragos detected the new activity earlier this year and discovered it stretched back to mid-2018, Slowik said.

In research on Xenotime published Friday, Dragos pointed out that the field of hackers targeting ICS, once confined to a few groups because of the heavy investments in tooling required, has expanded significantly in recent years.

“[A]s more players see value and interest in targeting critical infrastructure – and those already invested see dividends from their behaviors – the threat landscape grows,” the company said in a blog post.

E&E News was first to report on the new Xenotime activity.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts