A newly discovered adversarial group has been targeting operations in electrical utilities in the US, according to Dragos. The activity group, dubbed RASPITE, has reportedly been active in some capacity since early to mid-2017.
Dragos has confirmed that RASPITE is now targeting ICS, specifically electric utilities in the US, Europe, Middle East and East Asia. While researchers have confirmed that this new group is targeting electric utilities, there is no current indication the group has the capability of destructive ICS attacks, including widespread blackouts like those in Ukraine.
Detailed in a blog post, analysis of the group’s activity revealed that the group currently focuses on initial access operations within the electrical utility sector. They gain access to their target networks by leveraging strategic website compromise. RASPITE also maps to LeafMiner, a group that Symantec recently reported on in the Middle East.
“RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials,” the blog post stated. Deploying install scripts grants them remote access to the victim machine via a malicious service that beacons back to RASPITE-controlled infrastructure.
“Dragos caught RASPITE early in its maturity, which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques, which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” said Sergio Caltagirone, director of threat intelligence, Dragos.
“At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups. Although Dragos does not conduct country-specific attribution of industrial control threats, generally threats focused on industrial control are state sponsored due to the inherent risk, limited financial gain and potential blow back from the operations.”