{ "id": "a5f3b216-a020-4c0e-bdfd-10870533fb61", "created_at": "2026-04-06T00:13:03.202177Z", "updated_at": "2026-04-10T03:37:08.586615Z", "deleted_at": null, "sha1_hash": "580c800ef8f68b50c42d2446cb5ce129a633e7f1", "title": "Threat Proliferation in ICS Cybersecurity: XENOTIME Now Targeting Electric Sector, in Addition to Oil and Gas", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 58224, "plain_text": "Threat Proliferation in ICS Cybersecurity: XENOTIME Now\r\nTargeting Electric Sector, in Addition to Oil and Gas\r\nBy Dragos, Inc.\r\nPublished: 2019-06-14 · Archived: 2026-04-02 10:42:12 UTC\r\nThe most dangerous threat to ICS has new targets in its sights. Dragos identified the XENOTIME activity group\r\nexpanded its targeting beyond oil and gas to the electric utility sector. This expansion to a new vertical illustrates a\r\ntrend that will likely continue for other ICS-targeting adversaries.\r\nIndustrial control system (ICS) cyber threats are proliferating. More capable adversaries are investing heavily in\r\nthe ability to disrupt critical infrastructure like oil and gas, electric power, water, and more. Attacking any\r\nindustrial sector requires significant resources, which increases as capabilities and targeting expand. The high\r\nresource requirement previously limited such attacks to a few potential adversaries, but as more players see value\r\nand interest in targeting critical infrastructure – and those already invested see dividends from their behaviors –\r\nthe threat landscape grows.\r\nTo illustrate and highlight this major strategic risk to industrial environments worldwide and across every industry,\r\nDragos is publishing new intelligence on XENOTIME. In anticipation of this release, Dragos worked with global\r\nelectric utilities to increase their defense against this and the other threats to industrial control systems. Dragos\r\nPlatform customers have detections for XENOTIME, as the product receives these and other threat behavior\r\ndetection updates regularly.\r\nXENOTIME Proliferation: A Shift in the ICS Threat Landscape\r\nXENOTIME, the group behind the TRISIS event, previously focused on oil and gas related targeting. In February\r\n2019, Dragos identified a change in XENOTIME behavior: starting in late 2018, XENOTIME began probing the\r\nnetworks of electric utility organizations in the US and elsewhere using similar tactics to the group’s operations\r\nagainst oil and gas companies.\r\nMultiple ICS sectors now face the XENOTIME threat; this means individual verticals – such as oil and gas,\r\nmanufacturing, or electric – cannot ignore threats to other ICS entities because they are not specifically targeted.\r\nAs such, a key element in defense against sophisticated, expanding threats is understanding threat behaviors and\r\nmethodologies, beyond simply indicators of compromise.\r\nAsset owners and operators across ICS should be aware of XENOTIME’s tactics, techniques, and procedures, and\r\nconsider using an ICS-specific detection capability like the Dragos Platform while also implementing defensive\r\nrecommendations discussed below.\r\nActivity Overview\r\nhttps://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/\r\nPage 1 of 4\n\nThe 2017 TRISIS malware attack on a Saudi Arabian oil and gas facility represented an escalation of attacks on\r\nICS. TRISIS targeted safety systems and was designed to cause loss of life or physical damage. Following that\r\nattack, XENOTIME expanded its operations to include oil and gas entities outside the Middle East. Additionally,\r\nthe group compromised several ICS vendors and manufacturers in 2018, providing potential supply chain threat\r\nopportunities and vendor-enabled access to target ICS networks.\r\nXENOTIME operations since the TRISIS event in 2017 included significant external scanning, network\r\nenumeration, and open source research of potential victims, combined with attempts at external access. This\r\nactivity emphasized North American and European companies.\r\nIn February 2019, while working with clients across various utilities and regions, Dragos identified a persistent\r\npattern of activity attempting to gather information and enumerate network resources associated with US and\r\nAsia-Pacific electric utilities.\r\nThis behavior could indicate the activity group was preparing for a further cyberattack, or at minimum satisfying\r\nthe prerequisites for a future ICS-focused intrusion. The activities are consistent with Stage 1 ICS Cyber Kill\r\nChain reconnaissance and initial access operations, including observed incidents of attempted authentication with\r\ncredentials and possible credential “stuffing,” or using stolen usernames and passwords to try and force entry into\r\ntarget accounts.\r\nCause for Concern\r\nWhile none of the electric utility targeting events has resulted in a known, successful intrusion into victim\r\norganizations to date, the persistent attempts, and expansion in scope is cause for definite concern. XENOTIME\r\nhas successfully compromised several oil and gas environments which demonstrates its ability to do so in other\r\nverticals. Specifically, XENOTIME remains one of only four threats (along with ELECTRUM, Sandworm, and\r\nthe entities responsible for Stuxnet) to execute a deliberate disruptive or destructive attack.\r\nXENOTIME is the only known entity to specifically target safety instrumented systems (SIS) for disruptive or\r\ndestructive purposes. Electric utility environments are significantly different from oil and gas operations in several\r\naspects, but electric operations still have safety and protection equipment that could be targeted with similar\r\ntradecraft. XENOTIME expressing consistent, direct interest in electric utility operations is a cause for deep\r\nconcern given this adversary’s willingness to compromise process safety – and thus integrity – to fulfill its\r\nmission.\r\nXENOTIME’s expansion to another industry vertical is emblematic of an increasingly hostile industrial threat\r\nlandscape. Most observed XENOTIME activity focuses on initial information gathering and access operations\r\nnecessary for follow-on ICS intrusion operations. As seen in long-running state-sponsored intrusions into US, UK,\r\nand other electric infrastructure, entities are increasingly interested in the fundamentals of ICS operations and\r\ndisplaying all the hallmarks associated with information and access acquisition necessary to conduct future\r\nattacks. While Dragos sees no evidence at this time indicating that XENOTIME (or any other activity group, such\r\nas ELECTRUM or ALLANITE) is capable of executing a prolonged disruptive or destructive event on electric\r\nutility operations, observed activity strongly signals adversary interest in meeting the prerequisites for doing so.\r\nhttps://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/\r\nPage 2 of 4\n\nDefensive Recommendations\r\nAsset Identification and Environmental Awareness\r\nICS asset owners and operators across all industries must prepare for potential breach and disruption scenarios.\r\nThe most important thing a security team can do is improve visibility and awareness of ICS network activity,\r\nchiefly through a combination of network observables, host-based logs, and process-specific data.\r\nThreat Behavior Detection\r\nICS-specific threat intelligence can also be leveraged to identify unique threat behavior patterns, evolving\r\nadversary methodology, and specific conduct.\r\nInvestigation, Response, and Recovery\r\nWhen investigating or detecting ICS-specific intrusions and manipulation for hostile purposes, defenders must\r\nleverage all available information sources — from IT- like observations to process-specific impacts — and fuse\r\nthem to gain a complete view of ICS network operations enabling informed response and root cause analysis of\r\nindustrial incidents.\r\nGiven that XENOTIME is capable of and willing to execute a fundamental attack on process safety through\r\nattempted SIS modification, asset owners and operators must begin planning now for response and recovery\r\nscenarios related to a loss of SIS integrity. Specific items relating to response and recovery which can be\r\nimmediately implemented include:\r\nIdentify vendor contacts for support and analysis on specialized equipment not amenable to standard IT-based investigation techniques\r\nHave appropriate incident response capabilities either in-house or on call\r\nMaintain known-good configuration and process data both for comparison to possible compromised\r\ndevices, and to enable rapid recovery in the event of a breach\r\nIdentify operational workarounds to maintain known-good, known-safe production or generating capability\r\nIrrespective of how an organization addresses these questions, ICS operators must address such concerns in\r\nadvance, rather than trying to figure out such sensitive, complex items mid- or post-intrusion.\r\nConclusion\r\nUltimately, XENOTIME’s expansion to an additional ICS vertical is deeply concerning given this entity’s\r\nwillingness to undermine fundamental process safety in ICS environments placing lives and environments at great\r\nrisk.\r\nDragos emphasizes that the observed behavior is an expansion, a proliferation of the threat, and not a shift – oil\r\nand gas entities must still grapple with this adversary’s activity. While unfortunate, the expansion should serve as\r\na clear signal to ICS operators – not only in oil and gas or electric utility operations – that the time to plan,\r\nimplement, and enforce security standards and response processes in industrial environments is now.\r\nhttps://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/\r\nPage 3 of 4\n\nFor policymakers and risk managers, it is important to note that cross-geography and cross-industry collaboration\r\nis critical. Critical infrastructure cannot be siloed as the threat is operating across verticals and may even use one\r\nagainst the other; for instance, targeting electric to deny power to an oil refinery. Utilities, companies, and\r\ngovernments must work cooperatively around the world and across industrial sectors to jointly defend lives and\r\ninfrastructure from the increasing scope and scale of offensive critical infrastructure cyber attack.\r\nSource: https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/\r\nhttps://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://dragos.com/blog/industry-news/threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas/" ], "report_names": [ "threat-proliferation-in-ics-cybersecurity-xenotime-now-targeting-electric-sector-in-addition-to-oil-and-gas" ], "threat_actors": [ { "id": "5fb9f77b-1273-4658-884e-49f5f511dcd7", "created_at": "2022-10-25T15:50:23.591795Z", "updated_at": "2026-04-10T02:00:05.383475Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "TEMP.Veles", "XENOTIME" ], "source_name": "MITRE:TEMP.Veles", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "a792743d-78a4-40c9-9d9a-a12c52880297", "created_at": "2023-01-06T13:46:38.75457Z", "updated_at": "2026-04-10T02:00:03.089271Z", "deleted_at": null, "main_name": "ALLANITE", "aliases": [ "Palmetto Fusion", "Allanite" ], "source_name": "MISPGALAXY:ALLANITE", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "0f09b73e-caa9-40e6-bd0b-c13503e4e94c", "created_at": "2023-01-06T13:46:39.001286Z", "updated_at": "2026-04-10T02:00:03.1772Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "Xenotime", "G0088", "ATK91" ], "source_name": "MISPGALAXY:TEMP.Veles", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "0a0132a3-526d-4698-be49-5e75530c1417", "created_at": "2022-10-25T15:50:23.856139Z", "updated_at": "2026-04-10T02:00:05.42054Z", "deleted_at": null, "main_name": "ALLANITE", "aliases": [ "ALLANITE", "Palmetto Fusion" ], "source_name": "MITRE:ALLANITE", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "1c4281e9-0a4c-4f20-94a2-25ed3661cc98", "created_at": "2022-10-25T16:07:23.301826Z", "updated_at": "2026-04-10T02:00:04.529332Z", "deleted_at": null, "main_name": "Allanite", "aliases": [ "G1000", "Palmetto Fusion" ], "source_name": "ETDA:Allanite", "tools": [ "PsExec", "SecreetsDump", "THC Hydra" ], "source_id": "ETDA", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "5cbf6c32-482d-4cd2-9d11-0d9311acdc28", "created_at": "2023-01-06T13:46:38.39927Z", "updated_at": "2026-04-10T02:00:02.958273Z", "deleted_at": null, "main_name": "ENERGETIC BEAR", "aliases": [ "BERSERK BEAR", "ALLANITE", "Group 24", "Koala Team", "G0035", "ATK6", "ITG15", "DYMALLOY", "TG-4192", "Crouching Yeti", "Havex", "IRON LIBERTY", "Blue Kraken", "Ghost Blizzard" ], "source_name": "MISPGALAXY:ENERGETIC BEAR", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20012494-3f05-48ce-8c0f-92455e46a4f9", "created_at": "2022-10-25T16:07:24.319939Z", "updated_at": "2026-04-10T02:00:04.934107Z", "deleted_at": null, "main_name": "TEMP.Veles", "aliases": [ "ATK 91", "G0088", "Xenotime" ], "source_name": "ETDA:TEMP.Veles", "tools": [ "Cryptcat", "HatMan", "Mimikatz", "NetExec", "PsExec", "SecHack", "TRISIS", "TRITON", "Trisis", "Triton", "Wii" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434383, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/580c800ef8f68b50c42d2446cb5ce129a633e7f1.pdf", "text": "https://archive.orkl.eu/580c800ef8f68b50c42d2446cb5ce129a633e7f1.txt", "img": "https://archive.orkl.eu/580c800ef8f68b50c42d2446cb5ce129a633e7f1.jpg" } }