Dragos report identifies 11 activity groups targeting electric utility industry. Earlier this month, the United States launched a deadly drone strike that killed Iranian Maj. Gen. Qassim Suleimani. Days later, Iran retaliated with a missile strike on two Iraqi bases housing U.S. military forces that resulted in zero casualties.
In the days since the attacks, the U.S. cybersecurity community has warned of potential cyber attacks, but a new report reveals Iranian hackers have already been targeting the U.S. power grid for the past year. According to industrial cybersecurity the vendor, state-sponsored hackers have been working to gain access to American electric utilities.
“The electric utility industry is a valuable target for adversaries seeking to exploit industrial control systems (ICS) and operations technology (OT) for a variety of purposes,” Dragos says. “Attacks on electric systems – like attacks on other critical infrastructure sectors – can further an adversary’s criminal, political, economic, or geopolitical goals.”
According to the report, a hacking group known as Magnallium has been targeting the energy and aerospace industries in North America and Europe. The group, which has been linked to Iran, has been active since 2013.
Recently, Magnallium has launched a campaign of “password spraying” attacks, in an attempt to uncover a set of common passwords for different accounts. The campaign originally targeted oil and gas firms, but over the past year this activity has increased and expanded to target electric utilities.
“This activity group expansion and shift to the electric sector coincided with increasing political and military tensions in Gulf Coast Countries,” the report says.
However, Magnallium isn’t the only group targeting electric utilities in the United States.
“Of the activity groups that Dragos is actively tracking, nearly two-thirds of the groups performing ICS specific targeting and disruption activities are focused on the North American electric sector,” the report says. “Additionally, existing threats to ICS are expanding and establishing new interest in electric utility operations in North America.”
Other activity groups include Parisite, which has been active since at least 2017. Parisite uses open source tools to compromise infrastructure. The group, which has allegedly worked with Magnallium, leverages known virtual private network vulnerabilities for initial access.
“Dragos identified a recent increase in activity targeting North American electric entities, led by the identification of PARISITE activity targeting known VPN vulnerabilities, and MAGNALLIUM password spraying campaigns focusing on oil and gas that expanded to include the electric sector,” the report says. “MAGNALLIUM’s increased activity coincides with rising escalations between the US and allies, and Iran in the Middle East. Dragos expects this activity to continue.”
Dragos advises that there are six kinds of potential attack scenarios facing electric utilities in North America. These include a destructive event that could cause a power outage. Such an attack could potentially cause physical harm to operators and equipment.
Attackers can also target various aspects of the utility’s supply chain. This includes compromising the networks of third-party equipment manufacturers to gain access to electric utility environments. It also includes systematic attacks on the inputs required for energy production along the electric power supply chain.
Hackers might also work to disrupt an electric utility’s OT communications by exploiting vulnerabilities in the firewalls separating IT systems from OT. Another threat involves adversaries gaining access through cellular or satellite connections.
Finally, the Dragos report identifies planned power outages as prime targets for hackers.
“As extreme weather events increasingly cause electric power companies to schedule mass power outages, more opportunities arise for adversaries to infiltrate networks during times of scheduled blackouts,” the report says. “During planned outages, unusual activity may naturally occur on operations networks allowing an adversary to blend-in with other abnormal network traffic. An adversary could also use scheduled blackouts as an opportunity to launch denial of service attacks against a utility’s phone system, such as observed in the 2015 Ukraine attacks, to prevent operators from responding to customer issues and undermining public confidence in the utility.”