Iran-linked threat groups intensify cyber attacks targeting US utilities

Iran-linked groups have been probing US critical infrastructure networks for more than a year, warns Dragos

Iran-backed hacking groups have intensified password-spraying attacks to target US electric utilities following recent conflict between the two countries.

Industrial security specialists Dragos claim to have observed Iran-backed threat group Magnallium launching a broad campaign of cyber attacks in an effort to acquire a toe-hold on electric utilities' networks, as well as oil and gas firms in the US.

Across the board we are seeing an increase in activity, an increase in targeting, and an increase in sophistication

Password spraying is a crude style of attack in which hackers attempt to access hundreds or even thousands of accounts by guessing a few commonly used passwords (such as 'Password123' or 'Summer2017') before moving on to try a second password, and so on. The technique allows threat actors to remain unnoticed by evading rapid account lockouts.

"Across the board we are seeing an increase in activity, an increase in targeting, and an increase in sophistication," said Amy Bejtlich, director of intelligence analysis for Dragos.

"Adversary groups are recognising the value of targeting industrial environments, so as defenders, we have to be aware of activity, not just in one sector, but across all sectors."

Magnallium (also known as Refined Kitten, APT33 and Elfin) targeted US industrial control systems (ICS) throughout 2019, though it still lacks the capability to cause blackouts in the US, researchers said, even if they were able to compromise networks.

Adversary groups are recognising the value of targeting industrial environments

The group remains focused on initial IT intrusions, and there is no evidence so far to suggest that the hackers were able to gain access to specialised software used to control physical equipment in electric grid operations or oil and gas facilities.

Dragos says it also tracked the activities of another related group, called Parisite, which has been working in cooperation with Magnallium. This group also attempts to gain access to the networks of oil and gas companies by exploiting security flaws in virtual private networking (VPN) software.

The combined cyber campaign of the two groups ran through all of the last year and continues today, according to the report.

Overall, Dragos tracked the activities of 11 groups, of which 7 are focused on reconnaissance and disruption of the US grid. Xenotime is one such group that has long focused on oil-and-gas firm, but recently shifted its targeting to also include the US power sector, Dragos stated in its report.

Because cyber attacks on electricity utilities could have substantial geopolitical and economic impact, state-linked actors, including those from Russia, North Korea, China and Iran, are expected to increasingly target energy sector to further their goals, the report warns.