A threat actor with ties to hacker groups believed to be operating out of Iran has been targeting the industrial networks of organizations in the Middle East and the United Kingdom.
Tracked by industrial cybersecurity firm Dragos as “Chrysene,” the actor has been linked to OilRig and Greenbug, groups that have mainly focused on the Arabian Gulf region and which are believed to have been involved in the Shamoon and Shamoon 2 attacks.
According to Dragos, Chrysene evolved from previous OilRig and Greenbug espionage activity – their tools, techniques and procedures overlap, but Chrysene has displayed significant advancements in technical capabilities compared to these other groups.
Chrysene specializes in initial penetration – it hacks into machines housed by the targeted organization and provides access to other groups for further exploitation.
The hackers have been active since last year and they have targeted petrochemical, oil, gas, and energy organizations in Iraq, Pakistan, Israel and the UK.
Dragos told SecurityWeek that there are indications of possible Chrysene activity targeting North American entities, but the company has not found definitive proof.
After taking a break in late 2017, Chrysene resumed its activities and started setting up new malware infrastructure. The group has targeted ICS networks, but its recent operations also involved watering hole attacks leveraging websites not related to industrial control systems (ICS).
Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference
“For now, the group appears to focus on penetrating networks and conducting ICS-specific reconnaissance,” Dragos said. “Dragos has not seen evidence of this group having any ICS-specific capabilities that could damage critical infrastructure. Rather, CHRYSENE appears focused on initial network access and information gathering required for future activity directly targeting ICS resources.”
Last week, the security firm published a brief report on Allanite, a group linked to campaigns believed to have been conducted by Russia. In both cases, only high level information has been made public, but technical details are provided by Dragos to paying customers.
Related: Critical Infrastructure Threat Is Much Worse Than We Thought
Related: Cisco Switches in Iran, Russia Hacked in Apparent Pro-US Attack
Related: Five Threat Groups Target Industrial Systems