For all the nation-state hacker groups that have targeted the United States power grid—and even successfully breached American electric utilities—only the Russian military intelligence group recognized as Sandworm has been brazen sufficient to trigger actual blackouts, shutting the lights off in Ukraine in 2015 and 2016. Now one particular grid-focused safety firm is warning that a group with ties to Sandworm’s uniquely unsafe hackers has also been actively targeting the US power technique for years.
On Wednesday, industrial cybersecurity firm Dragos published its annual report on the state of industrial manage systems safety, which names 4 new foreign hacker groups focused on these essential infrastructure systems. Three of these newly named groups have targeted industrial manage systems in the US, according to Dragos. But most noteworthy, maybe, is a group that Dragos calls Kamacite, which the safety firm describes as possessing worked in cooperation with the GRU’s Sandworm. Kamacite has in the previous served as Sandworm’s “access” group, the Dragos researchers create, focused on gaining a foothold in a target network just before handing off that access to a diverse group of Sandworm hackers, who have then often carried out disruptive effects. Dragos says Kamacite has repeatedly targeted US electric utilities, oil and gas, and other industrial firms given that as early as 2017.
“They are constantly operating against US electric entities to attempt to retain some semblance of persistence” inside their IT networks, says Dragos vice president of threat intelligence and former NSA analyst Sergio Caltagirone. In a handful of circumstances more than these 4 years, Caltagirone says, the group’s attempts to breach these US targets’ networks have been profitable, top to access to these utilities that is been intermittent, if not fairly persistent.
Caltagirone says Dragos has only confirmed profitable Kamacite breaches of US networks prior, nonetheless, and has by no means noticed these intrusions in the US lead to disruptive payloads. But due to the fact Kamacite’s history incorporates functioning as element of Sandworm’s operations that triggered blackouts in Ukraine not once, but twice—turning off the energy to a quarter million Ukrainians in late 2015 and then to a fraction of the capital of Kyiv in late 2016—its targeting of the US grid ought to raise alarms. “If you see Kamacite in an industrial network or targeting industrial entities, you clearly can not be confident they are just gathering details. You have to assume one thing else follows,” Caltagirone says. “Kamacite is unsafe to industrial manage facilities due to the fact when they attack them, they have a connection to entities who know how to do destructive operations.”
Dragos ties Kamacite to electric grid intrusions not just in the US, but also to European targets properly beyond the properly-publicized attacks in Ukraine. That incorporates a hacking campaign against Germany’s electric sector in 2017. Caltagirone adds that there have been “a couple of profitable intrusions among 2017 and 2018 by Kamacite of industrial environments in Western Europe.”
Dragos warns that Kamacite’s major intrusion tools have been spear-phishing emails with malware payloads and brute-forcing the cloud-primarily based logins of Microsoft solutions like Office 365 and Active Directory as properly as virtual private networks. Once the group gains an initial foothold, it exploits valid user accounts to retain access and has applied the credential-stealing tool Mimikatz to spread additional into victims’ networks.
“One group gets in, the other… knows what to do”
Kamacite’s connection to the hackers recognized as Sandworm—which has been identified by the NSA and US Justice Department as Unit 74455 of the GRU—isn’t precisely clear. Threat intelligence companies’ attempts to define distinct hacker groups inside shadowy intelligence agencies like the GRU have usually been murky. By naming Kamacite as a distinct group, Dragos is looking for to break down Sandworm’s activities differently from other people who have publicly reported on it, separating Kamacite as an access-focused group from an additional Sandworm-associated group it calls Electrum. Dragos describes Electrum as an “effects” group, accountable for destructive payloads like the malware known as Crash Override or Industroyer, which triggered the 2016 Kyiv blackout and may have been intended to disable safety systems and destroy grid equipment.
Together, in other words, the groups Dragos get in touch with Kamacite and Electrum make up what other researchers and government agencies collectively get in touch with Sandworm. “One group gets in, the other group knows what to do when they get in,” says Caltagirone. “And when they operate separately, which we also watch them do, we clearly see that neither is really great at the other’s job.”
When WIRED reached out to other threat-intelligence firms like FireEye and CrowdStrike, none could confirm seeing a Sandworm-associated intrusion campaign targeting US utilities as reported by Dragos. But FireEye has previously confirmed seeing a widespread US-targeted intrusion campaign tied to another GRU group known as APT28 or Fancy Bear, which WIRED revealed final year soon after acquiring an FBI notification e-mail sent to targets of that campaign. Dragos pointed out at the time that the APT28 campaign shared command-and-manage infrastructure with an additional intrusion try that had targeted a US “power entity” in 2019, according to an advisory from the US Department of Energy. Given that APT28 and Sandworm have worked hand-in-hand in the past, Dragos now pins that 2019 power-sector targeting on Kamacite as element of its bigger multiyear US-targeted hacking spree.
Vanadinite and Talonite
Dragos’ report goes on to name two other new groups targeting US industrial manage systems. The very first, which it calls Vanadinite, seems to be have connections to the broad group of Chinese hackers known as Winnti. Dragos blames Vanadinite for attacks that applied the ransomware recognized as ColdLock to disrupt Taiwanese victim organizations, like state-owned power firms. But it also points to Vanadinite targeting power, manufacturing, and transportation targets about the globe, like in Europe, North America, and Australia, in some circumstances by exploiting vulnerabilities in VPNs.
The second newly named group, which Dragos calls Talonite, seems to have targeted North American electric utilities, as well, making use of malware-laced spear-phishing emails. It ties that targeting to previous phishing attempts using malware known as Lookback identified by Proofpoint in 2019. Yet an additional group Dragos has dubbed Stibnite has targeted Azerbaijani electric utilities and wind farms making use of phishing sites and malicious e-mail attachments, but it has not hit the US to the safety firm’s know-how.
While none amongst the ever-expanding list of hacker groups targeting industrial manage systems about the globe seems to have applied these manage systems to trigger actual disruptive effects in 2020, Dragos warns that the sheer quantity of these groups represents a disturbing trend. Caltagirone points to a uncommon but somewhat crude intrusion targeting a small water treatment plant in Oldsmar, Florida earlier this month, in which a nevertheless-unidentified hacker attempted to vastly boost the levels of caustic lye in the 15,000-individual city’s water. Given the lack of protections on these sorts of modest infrastructure targets, a group like Kamacite, Caltagirone argues, could simply trigger widespread, damaging effects even without having the industrial-manage-technique knowledge of a companion group like Electrum.
That signifies the rise in even somewhat unskilled groups poses a genuine threat, Caltagirone says. The quantity of groups targeting industrial manage systems has been continually expanding, he adds, ever given that Stuxnet showed at the beginning of the last decade that industrial hacking with physical effects is doable. “A lot of groups are appearing, and there are not a lot going away,” says Caltagirone. “In 3 to 4 years, I really feel like we’re going to attain a peak, and it will be an absolute catastrophe.”
This story initially appeared on wired.com.