XENOTIME
Russian state-sponsored intrusion set responsible for the December 2017 TRITON/TRISIS malware attack on the Triconex safety instrumented system (SIS) at a Saudi Arabian petrochemical facility — the first publicly-known cyberattack deliberately designed to target industrial safety systems and risk loss of life. FireEye/Mandiant publicly disclosed the attack in December 2017, attributing the malware to the TRITON framework. The U.S. Treasury OFAC sanctioned the group's sponsor — the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) in Moscow — on 23 October 2020 for its role in developing the TRITON malware. Dragos subsequently reported XENOTIME had expanded targeting to electric utilities beyond oil and gas.
Aliases
Motivations
Target sectors
Target countries
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
0 eventsIndicators of compromise
0 indicatorsRelated actors
shared ATT&CK techniques- ?? · UnknownALPHV/BlackCat1 shared technique
- KP · DPRKAndariel1 shared technique
- RU · RussiaAPT291 shared technique
- CN · ChinaAPT31 shared technique
- IR · IranAPT391 shared technique
- RU · RussiaCOLDRIVER1 shared technique
References
- G0088 — TEMP.VelesMITRE ATT&CK
- Attackers Deploy New ICS Attack Framework 'TRITON' and Cause Operational Disruption to Critical InfrastructureMandiant (originally FireEye) · 2017-12-14
- XENOTIME Threat ProfileDragos
- Treasury Sanctions Russian Government Research Institution Connected to the Triton MalwareU.S. Department of the Treasury · 2020-10-23
cite this page
Threat Intel Tracker. (2026-05-19). XENOTIME — actor profile. Retrieved from https://threatintel.local/actors/xenotime