Likely operating out of Iran, the Leafminer cyber-espionage group has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.
The group was previously said to have been targeting government and other types of organizations in the Middle East since at least early 2017, but it appears that its target list is much broader.
Dragos, which calls the actor RASPITE, says the entity has been targeting industrial control systems in numerous countries, including access operations in the electric utility sector in the United States.
Initial access to target networks is obtained through strategic website compromise (also known as watering hole attacks), the security firm says. Similar to DYMALLOY and ALLANITE threat actors, the group embeds a link to a resource to prompt an SMB connection to harvests Windows credentials.
Next, the actor deploys scripts to install a malicious service that connect to the RASPITE-controlled infrastructure and provide remotely access the victim machine.
Although it did focus on ICS-operating entities, RASPITE has yet to demonstrated an ICS-specific capability. At the moment, there is no indication that the actor can launch destructive ICS attacks such as the widespread blackouts that hit Ukraine.
In a report on the group last week, Symantec revealed that both custom-built malware and publicly-available tools were leveraged in observed campaigns, including a modified version of Mimikatz. Some of the tools were linked to other groups apparently tied to Iran, Symantec said, noting that the actor appears to be inspired by the Russia-linked Dragonfly group.
“Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” Sergio Caltagirone, Director of Threat Intelligence, Dragos, said.
“At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups,” Caltagirone continued.
Related: Iran-Linked ‘Leafminer’ Espionage Campaign Targets Middle East
Related: ‘Allanite’ Group Targets ICS Networks at Electric Utilities in US, UK