A new report highlights hacking activity targeting U.S. electric utilities and oil and gas firms attributed to the threat group Magnallium, widely known as APT33, an Iranian state-sponsored advanced persistent threat (APT), which largely consisted of password-spraying attacks – guessing passwords using a set of commonly-used credentials.

According to Dragos, Inc.'s January 2020 North American Electric Cyber Threat Perspective report, seven of 11 tracked activity groups target North American electric entities: PARISITE, XENOTIME, DYMALLOY, ALLANITE, MAGNALLIUM, RASPITE, and COVELLITE. Dragos identified a recent increase in activity targeting North American electric entities, led by the identification of PARISITE activity targeting known VPN vulnerabilities, and MAGNALLIUM password spraying campaigns focusing on oil and gas that expanded to include the electric sector.

MAGNALLIUM’s increased activity coincides with rising escalations between the U.S. and allies, says Dragos, and Iran in the Middle East. Dragos expects this activity to continue. Additionally, XENOTIME activity enabling potential supply chain compromise could affect entities in North America. Dragos adds that compromising ICS hardware and software vendors poses a threat to all ICS entities regardless of region due to global production and distribution. 

Given the increasing tensions and divisive rhetoric around cyber capabilities targeting electric systems, North American asset owners and operators should be aware of the potential increased risk to electric operations, notes Dragos. "It is unknown what, if any, impact the 2020 U.S. federal elections may have on cyber threats to the North American electric system. But, major elections continue to play a significant role in cyber operations and this upcoming event cannot be ignored by any critical infrastructure sector. Dragos continues to track phishing campaigns targeting North American electric utilities, with all activity generally focused on initial access operations," says the report.

Since April 2019, over a dozen U.S.-based electric utilities received spearphishing emails spoofing licensing and certification bodies with the intent to deliver LookBack malware. The security firm Proofpoint first publicly reported this campaign.

In addition, Dragos says that there are six concerning and possible attack scenarios for North American Electric:

  1. Destructive event causing power outage
  2. Third-party and original equipment manufacturer (OEM) compromises
  3. Systematic attack on electricity generation 
  4. OT communications gateways
  5. Adversary access through cellular or satellite connections 
  6. Power outages provide adversary disruption opportunities

A disruptive attack would require significant effort to achieve in North America, and as an adversary must spend significant time within compromised networks to learn operations (i.e. dwell time) this provides defenders with numerous opportunities to identify and remove malicious activity prior to disruption, notes Dragos. 

To remain ahead of the attackers, Dragos contends that certain electric power entities in the U.S. must adhere to mandatory cybersecurity standards under authority from the Federal Energy Regulatory Commission (FERC) and established by the North American Electric Reliability Corporation (NERC). 

For more information and to view the full report, visit Dragos.com.