Profile picture
Robert M. Lee @RobertMLee
, 8 tweets, 2 min read Read on Twitter
In plain English what does the XENOTIME (actors behind TRISIS/TRITON) info we released mean, why’d we release it, and what are the implications? Here’s a thread with my thoughts.
We didn’t release much new actually it’s just the new material is significant. The XENOTIME blog largely documents their behavior as it related to TRISIS. The new info is that the team is active in multiple locations and has moved beyond just targeting one vendor’s safety systems
That “is active” and “beyond one vendor” language should bother everyone. It means the adversary is, predictably, continuing to evolve and target safety systems outside just the Middle East and if you have any safety system you should consider the risk.
To me this is impactful because it means that engineering/operations must truly consider cyber components to safety systems. I.e. your SIS could be running and yet be entirely useless. It’s not a high probability you’ll be targeted but this isn’t an isolated threat anymore.
We published because information we shared privately was getting leaked anyway but we would have shared eventually anyway that the targeting is enhanced in scope. Nothing sensitive and just an update on an existing threat. But it’s substantial and folks should know.
The good news: it’s not about zero days and unknown tradecraft. It’s highly documented methods and tradecraft. Any level of industrial monitoring and threat detection should really not have a hard time identifying this activity. You just have to be looking.
The bad news: if you’re targeting safety systems you either intend to, or are just ok with, killing people. It doesn’t mean it’s imminent but it’s a reality. So people need to take this seriously. It’s not something we can bury our heads in the sand as a community on.
I don’t ever get hyped out and I hate FUD. But Xenotime bothers me to my core. It doesn’t need hyped because folks in the ICS security community understand the importance of this. Now we all have to go to work. And we can get it done.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robert M. Lee
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!