Raspite hacker group successfully penetrated networks of US electric utilities

• Researchers said the attackers use strategic website compromise to gain initial access to targeted networks.
• Officials and experts have continued to voice serious concerns over attempted attacks and ongoing threats to critical infrastructure.

Security researchers said a new threat group dubbed Raspite successfully penetrated networks of electric utilities in the United States. According to cybersecurity firm Dragos, the group has been active since at least 2017 targeting entities in the US, Europe, Middle East and East Asia.

Researchers said the attackers use strategic website compromise to gain initial access to targeted networks. Similar to threat groups Dymalloy (also known as Dragonfly) and Allanite, the group embeds a link to a resource to prompt an SMB connection to steal Windows credentials. Install scripts for a malicious service are then deployed to connect to Raspite-controlled infrastructure to allow the attackers to remotely access the infected machine.

Iran-linked hackers?

Symantec researchers recently released a report on the hacking group last week in which they linked it to Iran and named it Leafminer. Dragos did not attribute the group to a specific country. Although the firm did not publicly tie the group to any ongoing attack campaigns in the US, Symantec said Leafminer's operations targeting entities in the Middle East were "highly active."

"Raspite's activity to date currently focuses on initial access operations within the electric utility sector," Dragos researchers wrote in a blog post. "Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date. This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine."

Dragos analysts said the group has yet to demonstrate capabilities of infiltrating operational networks to access industrial control systems, they believe the group could eventually develop that capability within 18-24 months.

"While the group has not yet demonstrated an ICS capability, Raspite's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events," researchers said.

Critical infrastructure attacks

The findings comes as officials and experts continue to raise serious concerns over attempted attacks and ongoing threats to critical infrastructure.

Earlier this year, the US Department of Homeland Security and the FBI released an alert accusing Russia of orchestrating a multi-year, multi-stage cyberattack campaign against US energy infrastructure. The campaign dates back to at least March 2016 in which the attackers have been targeting lower-level victims - networks that belong to smaller companies that have weaker security, but are connected to larger firms - in order to make their way into the networks of their intended targets in the energy industry.

In July, federal officials stated that Russian hackers have already managed to breach "hundreds of victims" in a long-running and likely ongoing campaign. The attackers managed to access the control rooms of US electric utilities where they could have potentially caused blackouts, officials told the Wall Street Journal.