"Over the last several months, power grid-focused security analysts at the Electric Information Sharing and Analysis Center. or E-ISAC, and the critical infrastructure security firm Dragos have been tracking a group of sophisticated hackers carrying out broad scans of dozens of US power grid targets, apparently looking for entry points into their networks... ...[T]these hackers, known as Xenotime—or sometimes as the Triton actor, after their signature malware—have a particularly dark history. The Triton malware was designed to disable the so-called safety-instrument systems at Saudi Arabian oil refinery Petro Rabigh in a 2017 cyberattack, with the apparent aim of crippling equipment that monitors for leaks, explosions, or other catastrophic physical events. Dragos has called Xenotime 'easily the most dangerous threat activity publicly known.'... Xenotime has probed the networks of at least 20 different US electric system targets, including every element of the grid from power generation plants to transmission stations to distribution stations. Their scanning ranged from searching for remote login portals to scouring networks for vulnerable features, such as the buggy version of Server Message Block exploited in the Eternal Blue hacking tool leaked from the NSA in 2017... Despite initial speculation that Iran was responsible for the Saudi-Arabian targeted Triton attack, security firm FireEye in 2018 pointed to forensic links between the Petro Rabigh attack and a Moscow research institute, the Central Scientific Research Institute of Chemistry and Mechanics..." https://www.wired.com/story/triton-hackers-scan-us-power-grid/
