Profile picture
Robert M. Lee
@RobertMLee
, 10 tweets, 2 min read Read on Twitter
Quick break down on what the Dragos blog today on XENOTIME does and doesn’t mean. Thread:
XENOTIME is the threat responsible for the TRISIS (TRITON) attack in Saudi Arabia. For months Dragos has tracked them including penetrating oil and gas companies in North America. We also observed them start to target (specific reconnaissance) against US electric utilities.
We’ve been privately reporting to the community and made sure we worked with appropriate orgs who could get the word out to the utilities. XENOTIME is the only threat to have crossed the line to have ever tried to kill someone (TRISIS targeted safety systems). It’s serious.
We were made aware some of that reporting through organizations was accidentally made public by an organization so we published the blog to make sure to capture the story correctly. Key points to follow.
XENOTIME is the threat, this does NOT mean TRISIS or any variant of malware has been deployed somewhere else. What we track here and are talking about is the adversary themselves and their intrusions.
XENOTIME is a very serious threat so an additional set of targeting towards specific electric utilities and the type of recon they’re doing is very concerning and (publicly) new info. There have NOT been compromised electric utilities that we know of.
Every asset owner and operator that we had communicated with or had our private sector or government partners communicate with them that they were being targeted took things very seriously and prepared appropriately. We have work to do as an ICS community but so many do so much.
There is no reason to freak out or hype this up there’s only the reason to note that this is indeed very serious and as an example of threat and tradecraft proliferation in ICS as a community we can’t go “that’s not my sector” and ignore the ICS specific threats. Learn from them
XENOTIME is one of four threats to ever develop malware to successfully cause disruption or destruction of an ICS. They’re a sophisticated and aggressive team. But we haven’t yet seen additional malware by them. As with all things with proper preparation defense is doable.
As an alternative: his Tl;DR was better than mine -
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robert M. Lee
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @RobertMLee see all

Profile picture
Robert M. Lee
@RobertMLee
(venting a bit warning but also going to talk openly about why we did something.) So @DragosInc acquired NexDefense to release its tool to the community. @digitalbond didn’t like that answer that we’d do this do help folks. He challenged me publicly on it and I explained.
After explaining the full details of why he still decided to run in his newsletter the following: “I'm not buying the stated reason of helping the community by moving Sophia/Integrity to open source.” To a large public audience.
It’s up to everyone to make their own decision but since we’re being called a liar essentially I’d like to expose the reasons to everyone. Which by the way don’t actually impact anyone because it’s still a free tool for folks to use regardless.
Read 11 tweets
Profile picture
Robert M. Lee
@RobertMLee
The moment we’ve (@DragosInc at least) have been waiting for...the S4 ICS Threat Detection results. #S4x19
All the competitors in the space were invited. In the end, three stepped up. Kaspersky ICS, an open source tool team by an ICS sec analyst from an asset owner/operator, and Dragos. Because the others didn’t participate it turned from a competition to more of an evaluation #S4x19
“Claroty and Dragos stepped up early. We reached out to 20+ of the vendors and they all said no.” @digitalbond then notes that Claroty backed out a few weeks before the competition so it morphed to an evaluation. The challenge kicks off with Ron who put 500+ hours into making it
Read 29 tweets
Profile picture
Robert M. Lee
@RobertMLee
The secret #S4x19 talk on TRISIS (TRITON) is Julian who was an incident responder at Saudi Aramco who led the incident response (Aramco wasn’t the victim). He’s not revealing new info but is giving lessons learned from his first hand experience.
Notes there were multiple outages associated with TRISIS. First attack was June 2017 on a Saturday evening. One ESD controller impacted and DCS didn’t reflect the unsafe condition (quoting his slides).
Schneider checked the controller and didn’t identify the attack. Deemed it normal. Recommended restoring operations. Second outage occurred in 4th of August on Friday evening. Multiple controllers impacted across multiple phases of plant (six controllers).
Read 24 tweets

Related threads

Profile picture
Filomena Rocha
@Filomen03258997
14. Holocaust in Yemen caused by US, France, UK, Saudi Arabia, UAEmirates, Israel, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Qatar, Morocco, Canada, Australia, Germany
#Yemen #CrimesAgainstHumanity #WarCrime #Holocaust #YemenCantWait #YemenHolocaust #WorldHypocrisy
1. Holocaust in Yemen caused by US, France, UK, Saudi Arabia, UAEmirates, Israel, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Qatar, Morocco, Canada, Australia, Germany 🤨👇🏼
threadreaderapp.com/thread/1109495…
2. Holocaust in Yemen caused by US, France, UK, Saudi Arabia, UAEmirates, Israel, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Qatar, Morocco, Canada, Australia, Germany 🤨👇🏼
threadreaderapp.com/thread/1112537…
Read 100 tweets
Profile picture
Simwal
@Simwal
#Thread

#MOONSIGHTING

Eid Mubarak

Later tonight the moon will be clearly visible and the usual debate on the size will start, some will claim it’s 2 days old and some 3 days old by mere looking at its size.
The moon will be about 32 hrs old tonight by sunset, it’s altitude will be about 16 degrees and it will set about 1hr 12mins after sunset in most locations in Nigeria. So technically 32hrs is 1.3 days, generally the crescent becomes visible after 20 hrs
It’s als worth mentioning that the verified world record for a naked eye sighting stands at 15 hrs and 32 mins by Steven O’Meara renowned visual astronomer in May 1990.

The moon was 5hrs 37mins old in Tumair Saudi Arabia when it was claimed that it was sighted by naked eye,
Read 24 tweets
Profile picture
Filomena Rocha
@Filomen03258997
12. Holocaust in Yemen caused by US, France, UK, Saudi Arabia, UAEmirates, Israel, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Qatar, Morocco, Canada, Australia, Germany
#Yemen #CrimesAgainstHumanity #WarCrime #Holocaust #YemenCantWait #YemenHolocaust #WorldHypocrisy
1. Holocaust in Yemen caused by US, France, UK, Saudi Arabia, UAEmirates, Israel, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Qatar, Morocco, Canada, Australia, Germany 🤨👇🏼
threadreaderapp.com/thread/1109495…
2. Holocaust in Yemen caused by US, France, UK, Saudi Arabia, UAEmirates, Israel, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Qatar, Morocco, Canada, Australia, Germany 🤨👇🏼
threadreaderapp.com/thread/1112537…
Read 92 tweets
Profile picture
Filomena Rocha
@Filomen03258997
8. Holocaust in Yemen caused by Saudi Arabia, United Arab Emirates, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Somalia, Qatar, Morocco, US, France, UK, Canada, Australia,Germany
#Yemen #CrimesAgainstHumanity #WarCrime #Holocaust #YemenCantWait #YemenHolocaust #WorldHypocrisy
1. Holocaust in Yemen caused by Saudi Arabia, United Arab Emirates, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Somalia, Qatar, Morocco, US, France, UK, Canada, Australia,Germany🤨👇🏼
threadreaderapp.com/thread/1109495…
2. Holocaust in Yemen caused by Saudi Arabia, United Arab Emirates, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Somalia, Qatar, Morocco, US, France, UK, Canada, Australia,Germany🤨👇🏼
threadreaderapp.com/thread/1112537…
Read 134 tweets
Profile picture
Filomena Rocha
@Filomen03258997
6. Holocaust in Yemen caused by Saudi Arabia, United Arab Emirates, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Somalia, Qatar, Morocco, US, France, UK, Canada, Australia,Germany
#Yemen #CrimesAgainstHumanity #WarCrime #Holocaust #YemenCantWait #YemenHolocaust #WorldHypocrisy
1. Holocaust in Yemen caused by US, UK,France, Canada, Australia,Germany,Saudi Arabia, United Arab Emirates, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Somalia, Qatar, Morocco, 🤨👇🏼
threadreaderapp.com/thread/1109495…
2. Holocaust in Yemen caused by US, UK,France, Canada, Australia,Germany,Saudi Arabia, United Arab Emirates, Bahrain, Egypt, Jordan, Kuwait, Senegal, Sudan, Somalia, Qatar, Morocco, 🤨👇🏼
threadreaderapp.com/thread/1112537…
Read 123 tweets
Profile picture
Sibel Edmonds
@sibeledmonds
#Khashoggi Case Thread: I am going to ‘pin’ this post to use it as an ‘Info Thread’ on the #Khashoggi Case. I am in #Turkey. I’ve been following the case closely and with access to sources & experts here. This is a very ‘sensitive’ criminal case due to ‘Diplomatic Booby Traps’!!!
The Evidence Obtained Outside Cameras will not show any evidence of ‘tempering’ but other than license plates of dozens of diplomatic cars (Many with tinted windows-large trunks) with related time stamp, drivers Info, model/year: Nothing.
#Turkish Intel-Investigative Bodies also have the list of all Diplomatic & Private Saudi & “other significant’ Planes in #Turkey for the period of ‘interest.’ Many of the Target airports have their own security cameras & related evidence.
Read 335 tweets

Trending hashtags

#Syria #Saudi #JamalKhashoggi #WorldHypocrisy #UAE #Pompeo #naturalright #MiddleEast #HighAlert #Baghdad #YemenNGOBlackHole #BM #Saudis #Hodeidah #BorisJohnsonShouldNotBePM #UN #YemenHolocaust #Eid #terroristas #DeepState #iCloud #SaudiArabian #GenderApartheid #Trump #UnitedKingdom
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!