Security analysts have discovered a new hacking group that has been successful in breaching the networks of electric utilities in the United States.
The new research from cybersecurity firm Dragos is yet more evidence that hacking groups are looking for ways to penetrate networks of critical infrastructure — potentially with the intention to stage disruptive or destructive attacks.
The hacking group has been penetrating targets in the United States, as well as the Middle East, Europe and East Asia, for at least a year, according to Dragos.
In the United states, the group — which analysts at Dragos have named “Raspite” — has been particularly focused on breaching companies that manage generation, transmission or distribution of energy across the country.
Cybersecurity firm Symantec had disclosed initial details about the hacking group last week, linking it to Iran and naming it “Leafminer.” Symantec had described the group's operations against targets in the Middle East as “highly active,” but did not publicly attribute any hacking operations in the U.S. to the group.
The hacking group, while not particularly sophisticated, has been effective. The group successfully breached networks of the companies' business sides by using common tools and tactics like phishing emails and so-called watering hole attacks — a strategy in which a hacker infects a legitimate website that its target frequently visits.
While the hacker group has not made its way onto operational networks — which would provide attackers access to the industrial control systems that power elements of the electric grid — analysts at Dragos say the group could develop that capability within 18-24 months.
Analysts also say the hackers are likely aiming to collect intelligence on industrial systems so they can develop capabilities to disrupt them in the future — a capability they have not yet demonstrated.
“They are clearly interested in operational technology,” said Sergio Caltagirone, director of threat intelligence at Dragos.
Symantec had tracked the group back to Iran, but would not go so far as to say that it is state-sponsored. Dragos did not attribute the group to a specific country, but Caltagirone believes it is state-sponsored.
He said any actors would take on “significant risk” by breaking into U.S. utilities and would lack financial motivation for doing so, therefore ruling out cyber criminals as suspects.
“We would assess this is likely a state actor, but we can’t go any further or deeper than that,” Caltagirone said.
Officials have grown increasingly wary of threats to critical infrastructure, particularly after twin cyberattacks knocked out power in areas of Ukraine in 2015 and 2016. Russia is widely suspected in both attacks.
Earlier this year, U.S. officials disclosed that Russian hackers waged a multiyear cyberattack campaign on the energy sector. The Wall Street Journal reported earlier this month that the hackers breached “hundreds of victims,” and in some cases made their ways into the control rooms of U.S. electric utilities.
On Wednesday, the Department of Homeland Security set up a new center specifically devoted to helping protect critical assets — from banks to electric companies to manufacturing plants — most of which are owned and operated by the private sector.
Few attack groups are actually known to possess cyber tools to disrupt industrial control systems, but the number appears to be growing.
Dragos is also tracking a hacker group responsible for deploying a highly sophisticated, destructive malware to an unidentified industrial plant in the Middle East last year. Analysts said in May that the group had begun to expand its operations to new targets.
“The ability to attack industrial control and energy has become in vogue,” Caltagirone said. “That’s a very scary thing for nations and defenders who are focused on defending critical infrastructure.”
“Now it’s becoming something that more and more groups want to do on a regular basis,” he added.