This document summarizes a presentation on rising cyber escalation between the US, Iran, and Russia involving threats to industrial control systems. It discusses different response options countries may take in retaliation for ICS attacks. It then provides intelligence on recent activities by Iranian and Russian state-sponsored hacking groups Xenotime, Dymalloy, and Magnallium. The presentation outlines key threat behaviors to identify and recommends approaches for threat hunting and response planning, including understanding network assets, detecting attacks, and having response plans and exercises in place.

1. Rising Cyber Escalation Between
US, Iran, and Russia:
ICS Threats and Response
June 25, 2019
DRAGOS, INC.

2. Introductions
Sergio Caltagirone
Vice President of Threat Intelligence at
Dragos
Casey Brooks
Senior Adversary Hunter on the Threat
Intelligence team at Dragos
Ben Miller
Vice President of Threat Operations at
Dragos
Mark Stacey
Principal Threat Analyst on the Threat
Operations team at Dragos

3. Agenda
01 Escalation and Major
Issues
02 Intel on Iranian and
Russian Attacks
03
Response & Hunting
Overview
04 Detailed Preparation &
Response

4. Escalation

5. Different ICS Attack-Response Options
Target
• Large Target
• Small Target
• In-Kind
• Location (Middle East vs Elsewhere)
Effects
• Direct ICS Attack
• Indirect ICS Attack
Attribution
• Direct
• Proxy

6. Asset Owner & Operator Response
Assume offensive industrial disruption capabilities could be deployed now and in any
future conflict. Countries will naturally want to avoid casualties, both military and
civilian, and hence look for cyber disruption of ICS as an alternative to kinetic force.
TAKE THE THREAT SERIOUSLY
THINK BEYOND BORDERS
This is a good time to dispel the “I’m not a target” myth and understand that
adversaries view the battlespace different from defenders – normal assumptions
become dangerous.

7. Asset Owner & Operator Response
Increase security visibility, logging granularity, and prioritize threat detection. What
may have a been a low priority behavior/activity last week may need more
examination this week.
INCREASE VISIBILITY AND THREAT DETECTION
No response plan will cover every eventuality, but general approaches, a clear chain
of command, and preestablished tools and procedures all play an important part in
limiting harm
REVIEW & PRACTICE RESPONSE AND RECOVERY

8. Intel on Iranian and Russian Attacks
XENOTIME, DYMALLOY, and MAGNALLIUM activity affects areas of interest and industries surrounding the conflict
recently reported in the press, making it high interest to defenders. Dragos does not attribute activity to individuals
or states.

10. XENOTIME Activity Group
Strategic Outlook
• Expansion of XENOTIME targeting to other industrial
verticals.
Operational Outlook
• XENOTIME will continue its efforts of compromising IT
networks to gain access to OT environments.
Most Likely Course of Action
• Recent disclosures will likely cause XENOTIME activity to
slow while the activity group retools and reorganizes.
Most Dangerous Course of Action
• XENOTIME will continue to conduct intrusions into OT
environments unimpeded.

12. DYMALLOY Activity Group
Strategic Outlook
• DYMALLOY operations appear to be largely focused on
Ukraine at this time, most likely due to the recent Ukrainian
elections.
Operational Outlook
• Users in both IT and OT environments have increased
likelihood of interacting with strategic web compromises
designed to harvest SMB credentials.
Most Likely Course of Action
• DYMALLOY will likely continue its campaigns of establishing
strategic web compromises to capture credentials for
enabling and shaping operations.
Most Dangerous Course of Action
• DYMALLOY advances its capabilities and launches a
disruptive or destructive event against multiple industry
verticals.

14. MAGNALLIUM Activity Group
Strategic Outlook
• MAGNALLIUM operations focused on ICS-related entities
including oil and gas in the Middle East. Recent expansion to US
government and financial sector coincided with heightened
Iranian tensions.
Operational Outlook
• MAGNALLIUM will continue its efforts of compromising IT
networks. Its focus may continue to shift beyond ICS to
associated sectors.
Most Likely Course of Action
• MAGNALLIUM will likely continue its phishing campaigns to gain
initial access to IT networks and establish a foothold for future
events.
Most Dangerous Course of Action
• MAGNALLIUM advances its capabilities and launches a
disruptive or destructive event against ICS or related entities.

15. 5 Threat Behaviors to Identify Now
1. SMB credential harvesting watering holes hosted on legitimate compromised
websites.
2. Brute force password spraying attempts by adversaries seeking to compromise
weak, commonly used passwords.
3. Aggregation of non-sensitive, openly accessible information to generate intelligence
of sensitive value.
4. Web shells as a pivot point from DMZ Enterprise Zone into Operational technology
networks.
5. Unpatched or unmitigated CVE-2019-0708 RDP vulnerability

16. Threat Hunting and Response Planning
Threat Hunting
• Logical and Planned Approach
• Tested Hypothesis

17. Hunting & Response: Key Questions
What is on my network?
• Asset Inventory
• Critical Assets
• Vendors, Topology, Architecture
• Collection Management Framework
• Strategic Advantage over Adversary

18. Hunting & Response: Key Questions
Is my network under attack?
• Environment Visibility
• Host vs Network
• Proactive Hunting
• Vulnerability Detection
• Penetration Testing

19. Hunting & Response: Key Questions
How do I respond to threats or compromise?
• Playbooks
• Tested Plan and Exercises
• Professional Relationships
• Business Continuity Plan

20. Hunting and Responding to Threats
What is on my
network?
• Asset Inventory
• Critical Assets
• Collection Management Framework
• Vendors, Topology, Architecture
Is my network
under attack?
• Environment Visibility
• Proactive Hunting
• Vulnerability Detection
• Penetration Testing
How do I
respond to
threats or
compromise?
• Exercises
• Playbooks
• Professional
Relationships
• Business Continuity
•Security Controls
•Impact
•TTP
•Target(s)

21. Thank you
INTEL@DRAGOS.COM
• This presentation has been recorded and will be available online soon
• Technical indicators are not available to the general public and are being released to affected industries and
victims – focus on the behavior, not the indicator
• Answers to questions during the webinar will be posted online afterwards