On the scale of security threats, hackers scanning potential targets for vulnerabilities might seem to rank rather low. But when it's the same hackers who previously executed one of the most reckless cyberattacks in history—one that could have easily turned destructive or even lethal—that reconnaissance has a more foreboding edge. Especially when the target of their scanning is the U.S. power grid.
Over the past several months, security analysts at the Electric Information Sharing and Analysis Center (E-ISAC) and the critical-infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of U.S. power grid targets, apparently looking for entry points into their networks. Scanning alone hardly represents a serious threat. But these hackers, known as Xenotime—or sometimes as the Triton actor, after their signature malware—have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime "easily the most dangerous threat activity publicly known."