Zeroing in on XENOTIME: analysis of the entities responsible for the Triton event

Wednesday 28 September 2022, 14:00 - 14:30

Joe Slowik (Gigamon)

The 2017 Triton or TRISIS event targeted safety systems at an oil and gas processing facility in Saudi Arabia. Although all available evidence indicates the attack likely failed in its overall execution, the incident stands out as the first attempted cyber event that contained the possibility for direct harm or loss of life. While gathering headlines for some months after the incident was publicly revealed in late 2017, further reporting on the actor responsible – referred to as XENOTIME – appeared to dry up, leaving many unanswered questions.

Matters changed in 2022 with a combination of some very broad industry reporting and the public release of a US Department of Justice indictment from 2021 identifying a specific persona behind the Triton incident. While adding some context around the group, many questions remain unanswered, not the least of which being what this entity (or its component organizations) has been up to since 2017.

This presentation will delve deeper into the specific entity (or perhaps more plausibly, entities?) responsible for the 2017 event, and the implications of this association. While earlier reporting identified a specific research institution as linked to the 2017 incident, an observation seemingly reinforced by the indictment, further analysis reveals that this entity likely served primarily tool development, testing and research functions, leaving the actual perpetrators unidentified beyond loose country association. By exploring technical, targeting and geopolitical factors surrounding the events in Saudi Arabia, as well as discussing additional activity linked to this actor between 2018 and 2022, we will gain greater understanding for just who XENOTIME might be and its implications for overall critical infrastructure cyber operations since the Triton event.

• Download slides for this talk
• Download paper for this talk

Joe Slowik Joe Slowik has over 10 years' experience across multiple disciplines in information security. Currently leading threat intelligence and detection development at Gigamon, Joe also engages in CTI training through Paralus and has a history of in-depth research and analysis of threats across multiple US government entities, Dragos, and DomainTools.

Back to VB2022 Programme page

Other VB2022 papers