Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Iran-Linked Actor Targets U.S. Electric Utility Firms

Likely operating out of Iran,

Likely operating out of Iran, the Leafminer cyber-espionage group has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.

The group was previously said to have been targeting government and other types of organizations in the Middle East since at least early 2017, but it appears that its target list is much broader.

Dragos, which calls the actor RASPITE, says the entity has been targeting industrial control systems in numerous countries, including access operations in the electric utility sector in the United States.

Initial access to target networks is obtained through strategic website compromise (also known as watering hole attacks), the security firm says. Similar to DYMALLOY and ALLANITE threat actors, the group embeds a link to a resource to prompt an SMB connection to harvests Windows credentials.

Next, the actor deploys scripts to install a malicious service that connect to the RASPITE-controlled infrastructure and provide remotely access the victim machine.

Although it did focus on ICS-operating entities, RASPITE has yet to demonstrated an ICS-specific capability. At the moment, there is no indication that the actor can launch destructive ICS attacks such as the widespread blackouts that hit Ukraine.

In a report on the group last week, Symantec revealed that both custom-built malware and publicly-available tools were leveraged in observed campaigns, including a modified version of Mimikatz. Some of the tools were linked to other groups apparently tied to Iran, Symantec said, noting that the actor appears to be inspired by the Russia-linked Dragonfly group.

“Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” Sergio Caltagirone, Director of Threat Intelligence, Dragos, said.

Advertisement. Scroll to continue reading.

“At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups,” Caltagirone continued.

Related: Iran-Linked ‘Leafminer’ Espionage Campaign Targets Middle East

Related: ‘Allanite’ Group Targets ICS Networks at Electric Utilities in US, UK

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Raffi Joukhadarian has been named Managing Director and Chief Financial Officer at MorganFranklin Cyber.

Data security firm Rubrik has appointed Kavitha Mariappan as its Chief Transformation Officer.

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

More People On The Move

Expert Insights