In the aftermath of the American assassination of Iranian General Qassem Soleimani and subsequent retaliation missiles, Iran viewers have warned that the country could also launch cyber attacks, perhaps even targeting American critical infrastructure such as the electricity grid. A new report gives some new details about the nature of that threat: it appears that Iranian hackers are currently unable to cause blackouts in the US. But they worked to gain access to American electricity companies long before the tensions between the two countries arose.

On Thursday morning, the industrial control system Dragos security company detailed the newly revealed hacking activity that it has followed and attributed to a group of state-sponsored hackers who call it Magnallium. The same group is also known as APT33, Refined Kitten or Elfin and has previously been linked to Iran. Dragos says the Magnallium has observed a broad campaign of so-called password spraying attacks, which guess a set of common passwords for hundreds, even thousands of different accounts, targeting US electricity companies and oil and gas companies.

A related group named Dragos Parisite has apparently worked with Magnallium, the security company says, trying to gain access to US electricity and oil and gas companies by exploiting vulnerabilities in virtual private network software. The combined intrusion campaign of the two groups ran throughout 2019 and continues today.

“My concern is with access that groups may already have.”

Rob Lee, Dragos

Dragos declined to comment on whether one of those activities led to actual infringements. However, the report makes it clear that despite the IT system probes, they saw no sign that the Iranian hackers had access to the much more specialized software that controls physical equipment in power grid operators or oil and gas facilities. In electricity companies in particular, the digital induction of a blackout would be much more advanced than the techniques that Dragos describes in his report.

But given the threat of Iranian counterattacks, infrastructure owners should nevertheless be aware of the campaign, claims Dragos founder and former NSA critical infrastructure analyst analyst Rob Lee. And they should not only take into account new attempts to break their networks, but also the possibility that those systems have already been compromised. “My concern about the situation in Iran is not that we are going to see another major operation”, says Lee. “My concern is with access that groups may already have.”

The password spraying and VPN hacking campaigns that Dragos has observed are not limited to network operators or oil and gas, warns Dragos analyst Joe Slowik. But he also says that Iran has shown “clear interest” in critical infrastructure goals, a preference in that search for critical infrastructure goals that include electricity companies. “By doing things in such a widespread way, while it seems unfocused, untidy or noisy, they can try to build multiple access points relatively quickly and cheaply that can be extended to follow-up activity at a point they choose,” says Slowik, who previously served as the Department of Energy incident response team.

Iran’s hackers have reportedly infringed on US electricity companies and laid the foundation for possible attacks on US electricity companies, as well as Russia and China. American hackers also do the same in other countries. But this wave of network research would represent a newer campaign, following the breakdown of the Obama’s nuclear deal with Iran and the tensions that have arisen between the US and Iran since then and have only slightly subsided since Iran’s rocket attack Tuesday night.

The password-spraying Dragos campaign describes similarities with similar findings from Microsoft. In November, Microsoft revealed that Magnallium had seen a campaign for spraying passwords along a similar timeline, but aimed at suppliers of industrial control systems of the kind used in electricity companies, oil and gas installations and other industrial environments. Microsoft warned at the time that a campaign for spraying passwords could be a first step towards sabotage attempts, although other analysts have noted that it may also have focused on industrial espionage.

