xenotime-triton

XENOTIME / Triton Group

also known as: TEMP.Veles TRISIS Group HatMan Group CNIIHM-linked actors G0088 (MITRE ICS)

Described by Dragos as "easily the most dangerous threat activity publicly known." XENOTIME is the only threat actor ever confirmed to have intentionally targeted Safety Instrumented Systems — the last line of automated defense in industrial facilities designed to prevent explosions, fires, and chemical releases. The 2017 TRISIS attack on a Saudi Arabian petrochemical plant was the first cyberattack in history designed with the primary intention of causing physical casualties. Subsequent operations expanded targeting to electric utilities in North America and Asia-Pacific, ICS manufacturers, and a second industrial facility. Evgeny Gladkikh, a programmer at the Russian Ministry of Defense's CNIIHM research institute, was indicted in 2021. CNIIHM was sanctioned by the US Treasury. The FBI advises Triton "remains a threat."

attributed origin Russia — CNIIHM (Central Scientific Research Institute of Chemistry and Mechanics)

dragos assessment "Easily the most dangerous threat activity publicly known"

unique distinction Only actor confirmed to intentionally target SIS controllers

first attack June 2017 (first SIS trigger); August 2017 (investigated deployment)

doj indictment Evgeny Gladkikh (CNIIHM) — June 2021 indictment

cniihm sanctions US Treasury OFAC sanctioned CNIIHM (Oct 2020)

active since At least 2014 (2017 first public incident)

expanded targeting ~12 orgs reached; electric utilities US + APAC (2018–2019)

iCS malware family TRISIS — 1 of only 9 known ICS-specific malware families

Overview

XENOTIME occupies a singular position in the threat landscape. Every other threat actor profiled here — regardless of sophistication, state sponsorship, or historical impact — has operated within an implicit boundary: their cyber operations were designed to steal information, disrupt services, destroy data, or hold systems hostage. XENOTIME crossed a line that no documented threat actor had crossed before. In 2017, it deployed malware designed specifically to disable the last automated safety defenses in an operating petrochemical plant — systems that, if disabled, would allow an industrial accident to progress unchecked to catastrophic physical failure. The goal, according to every credible analysis, was to kill people.

The TRISIS malware (also known as TRITON and HatMan) targeted Schneider Electric's Triconex Safety Instrumented System controllers at what is believed to be Petro Rabigh, a Saudi Arabian oil refinery. Safety Instrumented Systems (SIS) are purpose-built, independently operated controllers that monitor process conditions and initiate emergency shutdowns if dangerous thresholds are crossed — shutting off valves, releasing pressure, cutting power to pumps. They are deliberately separate from the primary control system, specifically engineered to function even if everything else fails. They are, as Dragos CEO Robert M. Lee has described them, "the last line of defense." XENOTIME's TRISIS was designed to neutralize that last line while maintaining the appearance of normal operation — leaving plant operators unaware that the safety net had been cut.

The attack partially failed only because of a software bug: the malware inadvertently triggered a fault in two of the Triconex controllers, causing them to enter a fail-safe state and shut down the plant. The emergency shutdown revealed the malware's presence. Without that bug, XENOTIME's operators would have had full remote control of the SIS while plant processes continued running — free to disable safety shutoffs, modify safe operating parameters, and engineer whatever physical incident they chose. As incident responder Julian Gutmanis stated: "We knew that we couldn't rely on the integrity of the safety systems. It was about as bad as it could get."

XENOTIME is attributed with high confidence by FireEye / Mandiant to CNIIHM — the Central Scientific Research Institute of Chemistry and Mechanics — a Russian government-owned technical research institute under the Ministry of Defense located in Moscow. CNIIHM was sanctioned by the US Treasury in October 2020. Evgeny Viktorovich Gladkikh, a 36-year-old CNIIHM programmer, was indicted in June 2021 for his role in the attack. Dragos confirmed the attacker had been inside the first victim's network since 2014 — three years of silent pre-positioning before the SIS attack.

critical context: what an SIS does

A Safety Instrumented System is not a component of industrial process control — it is an independent, redundant, deliberately separate failsafe layer. When process conditions approach dangerous levels (over-pressurization, overheating, toxic gas buildup), the SIS overrides everything else and initiates emergency shutdown. Stuxnet disrupted centrifuge operations while hiding the disruption from operators. Industroyer/CRASHOVERRIDE cut power to Ukrainian grid substations. TRISIS was designed to disable the system that prevents an industrial plant from becoming a bomb. This is why Dragos and multiple ICS security professionals characterized it as the first malware designed with killing people as an objective.

TRISIS Technical Analysis

TRISIS is one of only nine publicly known malware families specifically designed to interact with and compromise industrial control systems — the others being Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, Havex, PIPEDREAM, Fuxnet, FrostyGoop, and a small number of others. Its technical architecture reflects years of research investment in understanding the Triconex SIS platform's proprietary protocols, firmware structure, and communication mechanisms.

Target System: Schneider Electric's Triconex Tricon safety programmable logic controller (PLC) — a triple modular redundant (TMR) SIS designed to maintain safe operation even through hardware failures. The Triconex system uses a proprietary protocol called TriStation for communication between engineering workstations and controllers. TRISIS implemented a custom reverse-engineered version of the TriStation protocol to communicate directly with SIS controllers.
Framework Architecture: TRISIS is a multi-component Python-based framework, not a single executable. Components include a custom Python script acting as the main controller, four Python modules providing framework functionality, and malicious shellcode containing an injector and payload. The modular design allows operators to develop and test individual components independently — which is exactly what CNIIHM's TEMP.Veles operators were doing in a development testing environment that FireEye monitored.
Firmware Modification: TRISIS modifies the in-memory firmware of Triconex SIS controllers — adding additional programming that provides the attacker with read/write access to memory contents and the ability to execute custom code. This firmware modification is the key capability: it gives operators the ability to issue custom commands to the SIS controller, including commands to prevent emergency shutdown initiation even when unsafe process conditions are detected.
The Accidental Discovery: XENOTIME's intent was to deploy TRISIS silently and then use separate malware to cause the plant's primary processes to run in unsafe conditions — the SIS would appear to be monitoring normally while actually being under attacker control and incapable of initiating protective shutdowns. Instead, a software bug in the TRISIS malware triggered fault detection in two Triconex controllers, causing them to enter a fail-safe shutdown state. The emergency shutdown revealed anomalous behavior, which led to a forensic investigation that discovered the malware. Had TRISIS deployed without triggering the fault, the attack would have proceeded invisibly.
Two Emergency Shutdowns: The Petro Rabigh attack caused two separate emergency shutdowns — one in June 2017 that was initially attributed to a mechanical issue, and the August 2017 event that triggered the investigation. The June incident was a failed initial deployment that went unrecognized as a cyberattack. This means XENOTIME maintained access and continued refining the attack for two months after the first partial discovery before the August deployment that triggered the investigation.
TRISIS as Blueprint: Dragos specifically noted that while TRISIS was highly tailored to the specific Triconex infrastructure at the target plant and is not directly scalable, "the malware provides a blueprint of how to target safety instrumented systems. This tradecraft is thus scalable and available to others even if the malware itself changes." The 2019 discovery of TRISIS at a second industrial facility — using elements of the same framework — confirmed this assessment.

Target Profile and Expansion

XENOTIME began with a focused operation against a single petrochemical facility but systematically expanded its target set following the 2017 incident — demonstrating that public exposure and sanctions did not deter continued operations.

Petro Rabigh, Saudi Arabia (believed) — 2014–2017: The first and only confirmed TRISIS deployment. Dragos confirmed the attacker had been inside the network since 2014 — three years of patient pre-positioning, learning the plant's ICS architecture before deploying the SIS-targeting payload in 2017. The facility operated refinery processes involving hydrogen sulfide and other hazardous materials — substances that, if released through a safety system failure, posed serious risk to plant workers and the surrounding area.
Second Industrial Facility — 2019: FireEye Mandiant disclosed at the Kaspersky Security Analyst Summit in April 2019 that it had discovered a second TRISIS attack — a full-blown active intrusion at another industrial organization, not yet publicly identified. The attackers had a foothold in the corporate network and were conducting reconnaissance and advancing deeper toward the OT network. Elements of the TRISIS framework were identified. Unlike the first incident, this discovery occurred before the attackers could deploy the full SIS attack capability.
~12 Organizations — Early Stage Compromises (2018+): Dragos documented approximately 12 organizations whose networks were hit with XENOTIME early-stage attack tooling — primarily corporate IT network access and reconnaissance, with the attackers working toward OT network access. These were not TRISIS deployments but represented the precursor intrusion activity that preceded the Saudi facility attack. The organizations spanned oil and gas, but also included ICS equipment manufacturers.
ICS Vendors and Manufacturers (2018): Dragos identified several compromises of ICS vendors and manufacturers by XENOTIME in 2018. This supply chain targeting mirrors Dragonfly's Havex strategy: compromising trusted vendors provides access to their customer base and provides intelligence about target facility configurations before direct attacks. A vendor compromise could enable XENOTIME to deliver malicious firmware or software updates to ICS installations worldwide.
US and Asia-Pacific Electric Utilities (Late 2018–2019): Starting in late 2018, XENOTIME expanded beyond oil and gas — probing the networks of electric utility organizations in the United States and the Asia-Pacific region. Dragos documented that "XENOTIME is now targeting dozens of electric power utilities in at least the North American and Asia-Pacific regions." The targeting involved the same reconnaissance and initial-access techniques used against oil and gas facilities. No confirmed intrusions into electric utility OT networks were documented, but the scope of probing was extensive. Dragos noted that electric utility environments also contain SIS-equivalent protection equipment that could be targeted with XENOTIME's tradecraft.
US Refineries (2018 — Failed Attempt): The DOJ indictment against Evgeny Gladkikh confirms that between February and July 2018 — just months after the Petro Rabigh attack was publicly disclosed — Gladkikh and co-conspirators researched US-based refineries and "unsuccessfully attempted to hack the U.S. company's computer systems." The research phase included obtaining a 1970s US Department of Defense research paper detailing refinery physical vulnerabilities, explosive effects, and capacity — specifically identifying which US facilities would cause maximum damage. The attempted US intrusion was the first documented case of XENOTIME targeting the US energy sector.

Tactics, Techniques & Procedures

XENOTIME's TTPs span both standard enterprise IT intrusion techniques for gaining corporate network access and highly specialized ICS-specific techniques for the OT targeting phase. The IT phase resembles many other APT intrusions; the OT phase is unique in documented threat history.

mitre id	technique	description
T0857 ICS	System Firmware — SIS Firmware Modification	The defining TRISIS capability: direct modification of Triconex SIS controller in-memory firmware via the TriStation protocol. The modified firmware adds attacker-controlled code that allows read/write access to memory and custom command execution. This modification was designed to persist invisibly in the SIS controller's active memory, enabling operators to disable emergency shutdown functions on demand while the SIS appeared to be operating normally to plant engineers. This is the only documented case of deliberate SIS firmware modification by a threat actor.
T0877 ICS	I/O Image — SIS Controller Communication	TRISIS implemented a custom reverse-engineered version of Schneider Electric's proprietary TriStation protocol to communicate directly with Triconex SIS controllers. This required significant research investment: TriStation is not publicly documented, and implementing a functional protocol client required reverse engineering the protocol from captured network traffic and controller firmware analysis. The protocol implementation enables direct read/write access to the SIS controller's memory and logic.
T1078	Valid Accounts — Credential Capture and Replay	XENOTIME used credential capture and replay as the primary lateral movement technique between IT and OT network segments — using legitimate credentials to authenticate to systems across network boundaries. Mandiant documented that the threat actor was present on the corporate network for at least one year before gaining access to the SIS engineering workstation. The long corporate network dwell time allowed systematic credential harvesting for accounts with OT network access.
T1059.006	Python-Based Framework Execution	TRISIS is built entirely in Python — a multi-component framework including a custom Python script, four Python modules, and embedded shellcode. The Python implementation reflects CNIIHM's development environment and enables rapid framework modification. CISA's technical analysis documented that the malware is obfuscated using .NET with multiple layers including string reversal, character replacement, base64 encoding, and packing. Anti-analysis techniques include VM checks, sandbox detection/evasion, and anti-debugging.
T1569.002	Service Execution — PSExec for Lateral Movement	Alongside proprietary tools, XENOTIME used standard Windows command-line tools and PSExec for lateral movement and remote execution on victim hosts — the same approach documented in Dragonfly, ALLANITE, and other ICS-targeting actors. Using PSExec with captured credentials allows remote command execution across network segments using legitimate Windows tools rather than exploit-based techniques, minimizing forensic artifacts and avoiding exploitation-based detection.
T1119	Automated Collection — ICS Reconnaissance	Following the 2017 TRISIS incident, XENOTIME's expanded operations included "significant external scanning, network enumeration and open-source research of potential victims, combined with attempts at external access." The DOJ indictment documented research using a 1970s US government document cataloging refinery physical vulnerabilities, explosive impact radii, and facility capacity — using open-source intelligence to identify which facilities would cause maximum physical damage in a successful SIS attack.
T0887 ICS	Wireless Sniffing — Physical Key Exploitation	A documented contributing factor in the Petro Rabigh attack: workers at the facility had left physical keys controlling Triconex system access in a position that allowed remote software access. SIS controllers have hardware key switches that control whether the system can be reprogrammed remotely — key positions include "Run" (normal operation, remote programming disabled) and "Program" (remote programming enabled). The physical keys at the plant were in Program mode, which allowed TRISIS to communicate with and modify the SIS firmware remotely. Physical key management is a critical SIS security control that the Petro Rabigh staff had not enforced.

Attribution: CNIIHM and Evgeny Gladkikh

FireEye's October 2018 attribution of TRISIS to CNIIHM was among the most methodologically detailed public ICS attribution analyses published. The evidence chain connected multiple independent technical and operational indicators to a specific individual at a specific institution.

PDB Path to Developer Handle: A PDB (Program Database) path in a tested malware file contained what appeared to be a unique developer handle or username. This moniker was linked to a Russia-based individual active in Russian information security communities since at least 2011, credited with vulnerability research contributions to the Russian edition of Hacker Magazine. The same handle's social media profile showed the individual in proximity to Moscow throughout the profile history.
CNIIHM Professor Identification: A now-defunct social media profile using the same handle identified the individual as a professor at CNIIHM, located near Nagatinskaya Street in Moscow's Nagatino-Sadovniki district. FireEye noted CNIIHM has at least two research divisions with directly relevant expertise: a Center for Applied Research focused on protecting critical infrastructure from destructive impacts, and a Center for Experimental Mechanical Engineering that develops weapons and researches enterprise safety in emergency situations — precisely the institutional knowledge base needed to develop TRISIS.
CNIIHM IP Address: An IP address registered to CNIIHM was used by TEMP.Veles operators for multiple operational purposes — monitoring open-source coverage of the TRISIS attack after disclosure, conducting network reconnaissance, and direct malicious activity in support of the TRISIS intrusion. Using the institutional IP for operational monitoring is a significant OPSEC failure that directly linked CNIIHM to the attack.
Working Hours Pattern: Activity patterns from TEMP.Veles operators were consistent with Moscow Standard Time working hours — another corroborating indicator linking operations to the Moscow timezone where CNIIHM is located.
Evidence Deletion Post-Attribution: After FireEye published its CNIIHM attribution report in October 2018, information about CNIIHM began disappearing from the institution's website — photos, internal structure details, information on associated IP addresses. FireEye reported this evidence deletion at the 2019 ICS Cyber Security Conference in Singapore, noting it as consistent with an organization that recognized it had been identified and was attempting to reduce its public footprint.
Evgeny Gladkikh — DOJ Indictment: On June 23, 2021, a federal grand jury in the District of Columbia returned a three-count indictment against Evgeny Viktorovich Gladkikh, 36, a computer programmer at TsNIIKhM (CNIIHM), formally charging him for the TRISIS deployment at "victim company 1" (believed to be Petro Rabigh) and attempted intrusions against US refineries in 2018. The three counts are: (1) conspiracy to cause damage to an energy facility (maximum 20 years), (2) attempt to cause damage to an energy facility (maximum 20 years), and (3) conspiracy to commit computer fraud (maximum 5 years) — a combined maximum sentence of 45 years. The indictment was unsealed March 24, 2022 alongside the Dragonfly/Akulov indictment. A $10 million Rewards for Justice reward was announced simultaneously. This was the first time an individual associated with CNIIHM had been personally charged — moving beyond the institutional sanctions to personal accountability.
CNIIHM Sanctions: The US Treasury Department's Office of Foreign Assets Control sanctioned CNIIHM in October 2020, prohibiting US persons from transacting with the institution and designating it as an entity connected to the TRISIS malware development.

Known Campaigns

TRISIS / Petro Rabigh — First SIS Attack in History 2014 – August 2017

The foundational XENOTIME operation and the most consequential ICS attack in terms of intent, if not impact. XENOTIME established a corporate network foothold at what is believed to be Petro Rabigh (a Saudi Aramco and Sumitomo joint venture refinery) by 2014 — three years before the SIS attack. A first deployment in June 2017 triggered an emergency shutdown that was incorrectly attributed to mechanical failure. The August 2017 deployment installed TRISIS on the plant's Triconex SIS controllers via the TriStation protocol. A software bug in the TRISIS code triggered fault detection in two controllers, causing them to fail safe — initiating another emergency shutdown and revealing the malware to forensic investigators. The facility was shut down for several days. Without the software bug, XENOTIME would have had full control of the plant's safety systems while operators believed them to be functioning normally. Australian incident responder Julian Gutmanis described it as "as bad as it could get." Robert Lee of Dragos called it "the first piece of malware specifically designed to kill people." The DOJ indictment confirmed the facility designation as "victim company 1."

Second Industrial Facility — TRISIS Framework Deployed 2018 – 2019

FireEye Mandiant disclosed in April 2019 that it had identified a second active XENOTIME intrusion at an unidentified industrial organization — a full-blown attack rather than early-stage probing, with elements of the TRISIS attack framework installed. Attackers had established a corporate network foothold and were conducting reconnaissance while advancing toward the OT network. Unlike the first incident, discovery occurred before the attackers reached the SIS environment. This second deployment confirmed that TRISIS was not a one-time operation but an ongoing, evolving capability being actively employed. The identity and location of the second victim have not been publicly confirmed.

US Refinery Targeting — Post-Disclosure Escalation February – July 2018

Despite the public disclosure of the Saudi Arabia attack in December 2017 and subsequent attribution research, XENOTIME immediately pivoted to targeting US energy infrastructure. Between February and July 2018, Gladkikh and co-conspirators researched US-based oil refineries — specifically obtaining a 1970s DOD research paper cataloging physical vulnerabilities, explosive effects, and capacity for US refinery sites. This open-source research was specifically aimed at identifying which US facilities would produce the most significant physical damage and casualty potential in a successful SIS attack. They then conducted unsuccessful intrusion attempts against a US company operating multiple refineries. The attempted US targeting represents the group's most direct threat to American critical infrastructure and was confirmed in the 2021 DOJ indictment.

Electric Utility Targeting — Sector Expansion Late 2018 – 2019+

Starting in late 2018, Dragos documented XENOTIME expanding beyond oil and gas to probe electric utility organizations in the US and Asia-Pacific. By June 2019, Dragos had identified dozens of electric power utilities being targeted. None of the probing had resulted in known successful intrusion into electric utility OT networks at the time of Dragos's public disclosure. The electric utility targeting used the same external scanning, network enumeration, and open-source research techniques documented in the oil and gas phase. Dragos's Sergio Caltagirone stated in June 2019: "What was once considered an oil and gas threat is now an electric threat too. People will die, we just don't know when."

Tools & Malware

TRISIS (TRITON / HatMan): The signature ICS malware framework. Multi-component Python-based tool targeting Schneider Electric Triconex SIS controllers via reverse-engineered TriStation protocol. Modifies in-memory SIS firmware to enable remote read/write access and custom code execution. Three-stage architecture: initial Python framework, TriStation protocol client, and custom payload shellcode. Anti-analysis protections include .NET obfuscation, string reversal, character replacement, base64 encoding, VM checks, sandbox detection, and anti-debugging. One of only nine known ICS-specific malware families in documented threat history.
Custom Credential Capture Tools: XENOTIME used proprietary credential capture tools specific to its operations alongside standard Windows tools — harvesting domain credentials for lateral movement across IT/OT boundaries. The combination of custom and commodity tools follows the pattern of an actor that invested heavily in OT-specific capability while using available tools for standard IT-side operations.
PSExec (Sysinternals): Used for remote execution and lateral movement on victim hosts, consistent with multiple documented ICS-targeting actors that prefer legitimate Windows tooling for IT-side operations to minimize forensic detection signals.
Standard Windows Command-Line Tools: Dragos documented XENOTIME's use of standard Windows commands and command-line utilities for operations on victim hosts — consistent with a living-off-the-land approach for the IT-side of the attack lifecycle, reserving custom tooling for the OT-specific phase.
TriStation Protocol Client (custom): A reverse-engineered implementation of Schneider Electric's proprietary TriStation protocol, embedded within the TRISIS framework. This component represents the most technically sophisticated element of the XENOTIME toolkit — requiring deep understanding of a non-public industrial protocol and substantial testing against physical Triconex hardware to develop and validate.

Indicators of Compromise

IOCs from CISA Malware Analysis Report (MAR): HatMan Safety System Targeted Malware (Update B), the CISA/DOE March 2022 advisory (AA22-083A), CrowdStrike and Dragos TRISIS analyses, and FireEye's XENOTIME attribution research. Full technical IOC sets are available in CISA's HatMan MAR.

ot detection note

TRISIS specifically targets safety systems that are typically managed by engineering teams rather than security teams, and that run on dedicated SIS networks separate from standard OT monitoring. Conventional IT-based detection — EDR, SIEM, network IDS — may not monitor or have visibility into SIS network segments. Detecting XENOTIME activity in the SIS environment requires dedicated safety system monitoring capability. Detection of early-stage IT network activity (corporate network reconnaissance, credential harvesting, OT-boundary crossing) is the most viable defensive detection window.

behavioral and technical indicators

file stage1.py, trilog.exe (HatMan stage 1 injector), inject.bin (shellcode payload) — TRISIS component filenames documented in CISA HatMan MAR

protocol Unexpected TriStation protocol traffic (UDP port 1502) originating from any host other than authorized engineering workstations — unauthorized TriStation access is the primary SIS compromise indicator

behavior Triconex physical key in Program mode (remote programming enabled) outside of authorized maintenance windows — key should be in Run mode during normal operations; unauthorized Program mode access is the precondition for TRISIS deployment

network Connections from corporate/IT network hosts to SIS engineering workstations or SIS network segments — SIS networks should have no inbound connections from IT; any such traffic represents IT/OT boundary violation

behavior Unexpected SIS controller reboots or fault messages — XENOTIME's two failed TRISIS deployments were both detected via unexpected SIS emergency shutdowns; unexplained SIS faults should trigger security investigation, not just engineering investigation

file Python interpreter or Python script files on SIS engineering workstations or OT network hosts — TRISIS is Python-based; Python execution on dedicated safety system workstations is anomalous and warrants immediate investigation

Mitigation & Defense

XENOTIME remains active. The FBI advisory confirming TRISIS "remains a threat" and Dragos's continued tracking of the group as active means that organizations with Safety Instrumented Systems should treat this as a current, ongoing threat requiring immediate defensive investment regardless of sector — the confirmed expansion to electric utilities means oil and gas operators are not the only at-risk population.

Physical Key Management — Highest Priority: The Petro Rabigh attack was enabled in part by Triconex physical keys being left in Program mode, allowing remote software access to SIS controllers. Establish and enforce strict physical key management procedures: SIS controller keys should be in Run mode during all normal operations, Program mode should require documented authorization and a physical presence requirement, and key state should be logged and audited. This single physical control would have significantly complicated or prevented the TRISIS deployment. Schneider Electric has issued guidance on this, and it applies to Triconex and all other SIS vendors' hardware key controls.
SIS Network Isolation: The SIS network should have zero network connectivity to corporate IT networks — no shared switches, no routed connections, no jump hosts with network connections to both. Even IT/OT segmentation that is standard for DCS networks is insufficient for SIS: the SIS must be completely air-gapped from any network that could provide an attacker traversal path. Monitor for any communication between IT network devices and SIS network devices. Any such traffic is a security incident requiring immediate investigation.
TriStation Protocol Monitoring: Any TriStation protocol traffic (UDP port 1502) originating from any host other than the specifically authorized SIS engineering workstation should trigger an immediate alarm. In a properly secured environment, only one or two designated engineering workstations should ever generate TriStation traffic — and only during authorized maintenance windows. Deploy network monitoring in the SIS network segment specifically watching for TriStation connections from unexpected sources.
Apply Schneider Electric's SIS Security Patches: Schneider Electric issued security patches for the Triconex vulnerabilities exploited by TRISIS following public disclosure. All Triconex Tricon installations should be at the current patched firmware version. Contact your Schneider Electric representative and CISA for current guidance on specific patch versions. For other SIS vendors (Emerson, Yokogawa, Honeywell), verify current security patch status with each vendor — TRISIS established that SIS platforms are now targeted, and all major vendors have since issued security bulletins and updates.
SIS Anomaly Monitoring — Treat Unexplained Shutdowns as Security Events: The XENOTIME attack caused two emergency shutdowns before it was detected — and the first was attributed to mechanical failure rather than investigated as a security incident. Any unexplained SIS fault, unexpected controller reboot, or anomalous process shutdown should trigger both an engineering investigation and a security investigation simultaneously. Establish a protocol for concurrent engineering and security response to SIS anomalies. The engineering team alone will look for mechanical or process causes; the security team must simultaneously check for unauthorized access, configuration changes, or malware indicators.
Threat Hunting for XENOTIME Pre-Positioning: XENOTIME spent three years on the corporate network before deploying TRISIS. Active threat hunting in the corporate IT environment — searching for credential harvesting activity, lateral movement toward OT-adjacent systems, and reconnaissance of ICS network architecture — can detect XENOTIME's pre-positioning phase long before it reaches the SIS environment. Organizations should hunt specifically for the behaviors documented in XENOTIME's IT-side TTPs: credential capture tools, Python execution on unexpected systems, and PSExec usage in unusual contexts.

analyst note

XENOTIME's significance in the threat landscape is categorical, not merely severe. Every other threat actor profiled in this series — regardless of state sponsorship, technical sophistication, or historical impact — operated within a framework where cyber effects caused cyber harm: data stolen, systems disrupted, services degraded, money diverted. XENOTIME made a deliberate, resource-intensive, years-in-the-making decision to cross the threshold where cyber effects could directly kill workers at an industrial facility. The three-year pre-positioning, the custom TriStation protocol implementation, the CNIIHM institutional expertise — these are not the signatures of an accident or an escalation that happened by surprise. This was planned, developed, tested, and executed with the specific intent of creating conditions under which an industrial catastrophe would occur. That it failed only because of a software bug is the only reason this profile discusses historical activity rather than a mass casualty event. Dragos CEO Robert Lee has consistently described XENOTIME as the line that separates "things we worried might happen" from "things we now know actors will do." The expansion to electric utilities means that the target list is every industrial organization with safety-critical systems — not just petrochemicals. The FBI's advisory that TRISIS "remains a threat" should be understood in that context: the actor exists, its capability exists, its targets have expanded, and the only reason the 2017 attack did not kill anyone is that the malware had a bug.

Sources & Further Reading

Primary government documents, vendor research, and court filings used to build this profile. All claims trace to at least one source listed here.

— end of profile