Iranian Hackers Have Been ‘Password-Spraying’ the US Grid

In the wake of the US assassination of Iranian general Qasem Soleimani and the retaliatory missile strike that followed, Iran-watchers have warned that the country could deploy cyberattacks as well, perhaps even targeting US critical infrastructure like the electric grid. A new report lends some fresh details to the nature of that threat: By all appearances, Iranian hackers don’t currently have the capability to start causing blackouts in the US. But they’ve been working to gain access to American electric utilities, long before tensions between the two countries came to a head.

On Thursday morning, industrial control system security firm Dragos detailed newly revealed hacking activity that it has tracked and attributed to a group of state-sponsored hackers it calls Magnallium. The same group is also known as APT33, Refined Kitten, or Elfin, and has previously been linked to Iran. Dragos says it has observed Magnallium carrying out a broad campaign of so-called password-spraying attacks, which guess a set of common passwords for hundreds or even thousands of different accounts, targeting US electric utilities as well as oil and gas firms.

A related group that Dragos calls Parisite has worked in apparent cooperation with Magnallium, the security firm says, attempting to gain access to US electric utilities and oil and gas firms by exploiting vulnerabilities in virtual private networking software. The two groups’ combined intrusion campaign ran through all of 2019 and continues today.

“My concern is with access that groups might already have.”

ROB LEE, DRAGOS

Dragos declined to comment on whether any of those activities resulted in actual breaches. The report makes clear, though, that despite the IT system probes they saw no sign that the Iranian hackers could access the far more specialized software that controls physical equipment in electric grid operators or oil and gas facilities. In electric utilities in particular, digitally inducing a blackout would require far more sophistication than the techniques Dragos describes in its report.

But given the the threat of Iranian counterattacks, infrastructure owners should nonetheless be aware of the campaign, argues Dragos founder and former NSA critical infrastructure threat intelligence analyst Rob Lee. And they should consider not just new attempts to breach their networks but also the possibility that those systems have already been compromised. “My concern with the Iran situation is not that we’re going to see some new big operation spin up,” Lee says. “My concern is with access that groups might already have.”

The password-spraying and VPN hacking campaigns that Dragos has observed aren’t limited to grid operators or oil and gas, cautions Dragos analyst Joe Slowik. But he also says Iran has shown “definite interest” in critical infrastructure targets that include electric utilities. “Doing things in such a widespread fashion, while it seems untargeted, sloppy, or noisy, allows them to try to build up relatively quickly and cheaply multiple points of access that can be extended into follow-on activity at a point of their choosing,” says Slowik, who formerly served as head of the Department of Energy’s incident response team.

Iran’s hackers have reportedly breached US electric utilities before, laying the groundwork for potential attacks on US electric utilities, as have Russian and China. US hackers do the same in other countries as well. But this wave of grid probing would represent a newer campaign, following the breakdown of the Obama administration’s nuclear deal with Iran and the tensions that have mounted between the US and Iran since and only somewhat eased since Iran’s missile strike Tuesday evening.

The password-spraying campaign Dragos describes matches up with similar findings from Microsoft. In November, Microsoft revealed that it had seen Magnallium carrying out a password-spraying campaign along a similar timeline, but targeting industrial control system suppliers of the kind used in electric utilities, oil and gas facilities, and other industrial environments. Microsoft warned at the time that this password-spraying campaign could be a first step toward sabotage attempts, though other analysts have noted it may have also been aimed at industrial espionage.

Dragos declined to share the details of the VPN vulnerabilities it observed Parisite attempting to exploit. But ZDNet today reported separately that Iranian hackers exploited vulnerabilities in either a Pulse Secure or Fortinet VPN server to plant wiper malware inside Bahrain’s national oil firm, Bapco. Reports from security firm Devcore last year found vulnerabilities in both Pulse Secure and Fortinet’s VPNs, as well as those sold by Palo Alto Networks.

Lee cautions that despite Magnallium and Parisite’s probing of the grid, Dragos’ findings shouldn’t cause panic over potential blackouts. While Iran has demonstrated an interest in industrial control system hacking, it’s shown no sign of successfully developing tools and techniques that would allow disruption of physical equipment like circuit breakers. “I’ve not seen any capability by them to be able to cause significant disruption or destruction on infrastructure,” Lee says.

But that doesn’t mean Iranian intrusions into electric utilities or oil and gas firms aren’t a cause for concern. John Hultquist, the director of intelligence at security firm FireEye, which has tracked Magnallium for years under the name APT33, warns that its intrusions have frequently led to less sophisticated but nonetheless crippling acts of disruption. The group has been tied to cyberattacks that have destroyed thousands of computers, so-called wiper malware operations that have hit Iran’s adversaries across the Gulf region. They may not be able to turn out the lights, but they could simply destroy an electric utility’s computer network.

“We know what they’re capable of,” Hultquist says. “Again and again we’ve seen them wipe the drives that companies are using to run their business, and business grinds to a halt, and it costs them a fortune.”