New Cyber Threat Actor Targeting Power Sector Identified

Cybersecurity experts have identified a new activity group that they say is targeting access operations at electric utilities in the U.S., Europe, Middle East, and East Asia. 

Cybersecurity firm Dragos Inc. told POWER on August 1 that though it has confirmed that the group—which it dubbed “RASPITE”—is actively targeting electric utilities, “there is no current indication the group has the capability” to conduct destructive widespread blackouts like those in Ukraine in 2016. Dragos added, “Operations against electric utility organizations appear limited to the U.S. at this time.” 

Symantec, another security firm, calls the group, “Leafminer.” On July 25, Symantec said in a blog post that the group’s activity remains centered on the Middle East, mostly in Saudi Arabia—noting that threat is likely being perpetrated by Iranian actors. “One interesting source of target information discovered during the Leafminer investigation was a list of 809 targets used by the attackers for vulnerability scans,” it said. “The list is written in the Iranian language Farsi and groups each entry with organization of interest by geography and industry.” According to Symantec, however, industry verticals suggest the group is targeting mainly government, financial, and petrochemical sectors, and to a lesser degree, airline, security services, and the utility sectors. 

Symantec said that Leafminer uses three main techniques for initial intrusion of target networks. These include compromised web servers used for watering hole attacks; scans or exploits for vulnerabilities of network services; and dictionary attacks against logins of network services. 

Dragos’s analysis of tactics, techniques, and procedures (TTPs) used by RASPITE indicate the group has been active “in some form” since early- to mid-2017—an origin timeframe that Symantec confirms. “RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine,” Dragos said. 

According to Dragos, however, RASPITE is focused on entities that operate industrial control systems (ICS), though it “has not demonstrated an ICS-specific capability to date.” Yet, Dragos warned that the group’s “recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events.”

 The Benefits of Early Identification

Sergio Caltagirone, director of Threat Intelligence at Dragos, told POWER that catching RASPITE early in its maturity “is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques, which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” he said. 

Dragos noted that it does not describe ICS activity group technical details (except in extraordinary circumstances) in order to limit tradecraft proliferation. “Although Dragos does not conduct country-specific attribution of industrial control threats, generally, threats focused on industrial control are state-sponsored due to the inherent risk, limited financial gain, and potential blow back from the operations,” said Caltagirone. 

Earlier this year, Dragos warned that 2017 was a “watershed” year in ICS security, largely due to the discovery of new capabilities and a significant increase in ICS threat activity groups. Before last year, only three families of ICS-specific malware were known: STUXNET, discovered before 2010; BLACKENERGY 2, discovered in 2012; and HAVEX, which emerged in 2013. In 2017, two new samples emerged: TRISIS and CRASHOVERRIDE. “Both of these samples led to industry firsts,” Joe Slowik, a Dragos senior threat analyst, said in March. “CRASHOVERRIDE was the first malware to ever specifically target and disrupt electric grid operations and led to operational outages in Kiev, Ukraine, in 2016 (although it was not definitively discovered until 2017),” he said. “TRISIS is the first malware to ever specifically target and disrupt safety instrumented systems (SIS), and is the first malware to ever specifically target, or accept as a potential consequence, the loss of human life.”

This May, the firm described a new cyberattack threat activity group it identified “XENOTIME,” which it said is intent on compromising and disrupting industry safety instrumented systems globally.  

DHS Kicks off Cybersecurity Summit

The proliferation of cyber threat actors targeting critical infrastructure has been a long-standing concern for industry and government. On July 31, the U.S. Department of Homeland Security (DHS) kicked off the first-of-its-kind National Cybersecurity Summit in New York City, seeking to lay out a vision for a “collective defense strategy” to protect critical infrastructure. 

The DHS said in a statement on August 1 that throughout the summit, government and industry partners agreed “on a series of concrete steps to better understand what is truly critical and work together to reduce strategic risk.” 

At the summit, DHS Secretary Kirstjen Nielsen also announced the creation of the National Risk Management Center, which will coordinate national efforts to protect the nation’s critical infrastructure. The center will work closely with the National Cybersecurity and Communications Integration Center (NCCIC)—the DHS’s central hub for cyber operations focused on threat indicator sharing, technical analysis and assessment services, and incident response. “The two centers will work hand-in-hand to ensure effective coordination between strategic risk management and tactical operations,” the DHS said. 

At the event, the DHS also unveiled the formation of the Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, which will examine and develop recommendations “for actions to address key strategic challenges to identifying and managing risk associated with the global information and communications technology supply chain and related third-party risk.” The task force is intended to focus on solutions to manage strategic risks through policy initiatives and opportunities for innovative public-private partnership. 

The DHS said the summit was attended by a group of more than 20 CEOs from large companies and senior-most government officials, along with “hundreds of others from across a wide range of industries.”

—Sonal Patel is a POWER associate editor (@sonalcpatel, @POWERmagazine)