A related group that Dragos calls Parisite has worked in apparent cooperation with Magnallium, the security firm says, attempting to gain access to US electric utilities and oil and gas firms by exploiting vulnerabilities in virtual private networking software. The two groups' combined intrusion campaign ran through all of 2019 and continues today.Dragos declined to comment on whether any of those activities resulted in actual breaches. The report makes clear, though, that despite the IT system probes they saw no sign that the Iranian hackers could access the far more specialized software that controls physical equipment in electric grid operators or oil and gas facilities. In electric utilities in particular, digitally inducing a blackout would require far more sophistication than the techniques Dragos describes in its report.
Analysts at two security firms, Crowdstrike and Dragos, tell WIRED that they've seen a new campaign of targeted phishing emails sent to a variety of US targets last week from a hacker group known by the names APT33 , Magnallium, or Refined Kitten, and widely believed to be working in the service of the Iranian government.
But given the the threat of Iranian counterattacks, infrastructure owners should nonetheless be aware of the campaign, argues Dragos founder and former NSA critical infrastructure threat intelligence analyst Rob Lee. And they should consider not just new attempts to breach their networks but also the possibility that those systems have already been compromised. "My concern with the Iran situation is not that we're going to see some new big operation spin up," Lee says. "My concern is with access that groups might already have."
The password-spraying and VPN hacking campaigns that Dragos has observed aren't limited to grid operators or oil and gas, cautions Dragos analyst Joe Slowik. But he also says Iran has shown "definite interest" in critical infrastructure targets that include electric utilities. "Doing things in such a widespread fashion, while it seems untargeted, sloppy, or noisy, allows them to try to build up relatively quickly and cheaply multiple points of access that can be extended into follow-on activity at a point of their choosing," says Slowik, who formerly served as head of the Department of Energy's incident response team.
Iran's hackers have reportedly breached US electric utilities before , laying the groundwork for potential attacks on US electric utilities, as have Russian and China. US hackers do the same in other countries as well. But this wave of grid probing would represent a newer campaign, following the breakdown of the Obama administration's nuclear deal with Iran and the tensions that have mounted between the US and Iran since and only somewhat eased since Iran's missile strike Tuesday evening.The password-spraying campaign Dragos describes matches up with similar findings from Microsoft. In November, Microsoft revealed that it had seen Magnallium carrying out a password-spraying campaign along a similar timeline, but targeting industrial control system suppliers of the kind used in electric utilities, oil and gas facilities, and other industrial environments. Microsoft warned at the time that this password-spraying campaign could be a first step toward sabotage attempts, though other analysts have noted it may have also been aimed at industrial espionage.