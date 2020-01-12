Zoom in / electricity pylons at sunset

After the US’s assassination of Iranian general Qasem Soleimani and the subsequent retaliation against rockets, Iranian observers warned that the country could also carry out cyber attacks and possibly even target critical US infrastructures such as the power grid. A new report reveals some new details about the nature of this threat: Iranian hackers do not appear to have the ability to cause power outages in the U.S. However, they sought access to American electricity companies long before tensions between the two countries escalated.

On Thursday morning, industrial control systems security company Dragos exposed the newly discovered hacking activity that it is pursuing and attributed to a group of government-sponsored hackers it calls Magnallium. The same group is also known as APT33, Refined Kitten or Elfin and was previously associated with Iran. According to Dragos, Magnallium has carried out a broad campaign of so-called password spraying attacks, in which a series of passwords were guessed for hundreds or even thousands of different accounts aimed at US electricity suppliers and oil and gas companies.

A related group, which Dragos calls Parisite, appears to have worked with Magnallium to gain access to U.S. utilities and oil and gas companies by exploiting vulnerabilities in virtual private networking software. The combined activation campaign of the two groups lasted throughout 2019 and continues to this day.

Dragos declined to comment on whether any of these activities actually resulted in violations. However, the report makes it clear that despite the IT system reviews, the Iranian hackers saw no evidence that they could access the much more specialized software that controls the physical equipment of power grid operators or oil and gas facilities. For electricity providers in particular, digitally triggering a power outage would be far more complex than the techniques that Dragos describes in his report.

However, given the threat of Iranian counterattacks, infrastructure owners should still be aware of the campaign, argues Dragos founder and former NSA critical infrastructure threat analyst Rob Lee. And they should consider not only new attempts to break through their networks, but also the possibility that these systems have already been compromised. “I am not worried about the situation in Iran because we are going to see a new major operation,” said Lee. “My concern is the access that groups may already have.”

The campaigns for password verification and VPN hacking observed by Dragos are not limited to network operators or oil and gas, warns Joe Slowik, analyst at Dragos. But he also said that Iran has shown “definite interest” in critical infrastructure targets, which include electricity suppliers. “If they do things in such a widespread way that they seem aimless, sloppy, or noisy, they can try to build multiple access points relatively quickly and inexpensively, which can be expanded into follow-up activities at a point of their choice,” says Slowik, who was previously head of the Incident Response Team at the Department of Energy.

Iran’s hackers have reportedly injured US electricity providers, laying the groundwork for possible attacks on US electricity suppliers, Russia and China. US hackers do the same in other countries. But this wave of grid investigations would represent a newer campaign, after the collapse of the Obama administration’s nuclear deal with Iran and the tensions that have increased and have eased somewhat since the Iranian missile attack on Tuesday night.

The Dragos password spraying campaign describes matches with similar findings from Microsoft. In November, Microsoft announced that Magnallium had launched a password spraying campaign in a similar period of time, but it was aimed at vendors of industrial control systems such as those used in power companies, oil and gas facilities, and other industrial environments. Microsoft warned at the time that this password-spraying campaign could be a first step towards sabotage, although other analysts have found that it may also target industrial espionage.

Dragos declined to disclose the details of the VPN vulnerabilities that Parisite wanted to exploit. However, ZDNet separately reported today that Iranian hackers were exploiting security vulnerabilities in a Pulse Secure or Fortinet VPN server to install Wiper malware in Bahrain’s national oil company Bapco. Last year reports from security company Devcore revealed vulnerabilities in both Pulse Secure and Fortinet VPNs and those sold by Palo Alto Network. Warned that despite Magnallium and Parisite’s review of the grid, Dragos’ results should not cause panic about possible power outages. While Iran has shown interest in hacking industrial control systems, there is no sign of successful development of tools and techniques that would allow physical equipment such as circuit breakers to be broken. “I saw no way to significantly disrupt or destroy the infrastructure,” says Lee.

However, this does not mean that Iranian interventions in electricity suppliers or oil and gas companies are cause for concern. John Hultquist, director of intelligence at FireEye, a security company that has been using Magnallium for years under the name APT33, warns that his interventions have often resulted in less sophisticated, yet debilitating, disruptions. The group was tied to cyberattacks that destroyed thousands of computers, known as wiper malware operations, that hit Iran’s opponents across the Gulf region. You may not be able to turn off the lights, but you can destroy a utility company’s computer network.

“We know what they’re capable of,” says Hultquist. “We have seen over and over again that they wiped the drives that businesses do business with and the business came to a standstill, and it costs them a fortune.”

