Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Group That Caused Power Outage Stops Focusing Exclusively on Ukraine

Electrum, the Russia-linked hacker group believed to be responsible for the 2016 power outage in Ukraine, no longer focuses exclusively on this country, according to industrial cybersecurity firm Dragos.

Electrum, the Russia-linked hacker group believed to be responsible for the 2016 power outage in Ukraine, no longer focuses exclusively on this country, according to industrial cybersecurity firm Dragos.

Electrum is said to have used Crashoverride/Industroyer, a piece of malware designed to target industrial control systems (ICS), to cause the power outage in December 2016. Researchers have also found links to Sandworm (aka TeleBots and BlackEnergy), which has been blamed for the 2015 power outage that hit Ukraine. Sandworm is also believed to have played a role in the ongoing VPNFilter campaign.

According to Dragos, Electrum initially focused on development and facilitating Sandworm attacks. However, starting with the Crashoverride attack, it took on operational tasks as well.

The group is still active and starting with last year it has been seen focusing on organizations outside of Ukraine. While Dragos is unable to disclose which regions have been targeted, the company tells SecurityWeek that the hackers have launched attacks on organizations in the water and electric sectors.

The security firm has been monitoring Electrum and earlier this year it came across new information on the threat actor’s infiltration techniques and capabilities of the Crashoverride malware. Researchers say the group relies on common attack methods rather than zero-day vulnerabilities and exploits.

“For instance, the group used Microsoft SQL database servers as the gateway that bridges both the business and industrial control networks, to successfully compromise industrial control systems where they used stolen credentials to execute code,” explained Sergio Caltagirone, director of threat intelligence at Dragos. 

Learn More at SecurityWeek’s 2018 ICS Cyber Security Conference

The company told SecurityWeek it had not identified any new deployment of the Crashoverride malware. “Crashoverride was a very specific framework for electric grid attacks. We would only expect to see this immediately prior to an ICS impact,” it said.

Advertisement. Scroll to continue reading.

“The group’s ongoing activity and link to the Sandworm team indicate Electrum’s sponsor could direct ICS disruption operations to other geographic areas,” Caltagirone noted. “Dragos considers Electrum to be one of the most competent and sophisticated threat actors currently in the ICS industry.”

Dragos has published brief reports on several of the groups that pose a threat to ICS, including Iran-linked Chrysene, Russia-linked Allanite, and Xenotime, the group believed to be behind the Triton/Trisis attacks.

Last week, it reported that a threat actor linked to North Korea’s Lazarus Group had stopped targeting organizations in the United States.

Related: NotPetya Connected to BlackEnergy/KillDisk

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...