CyberWire Daily - Know Thine Enemy - Identifying North American Cyber Threats. [Research Saturday]
Episode Date: January 25, 2020The electric utility industry is a valuable target for adversaries seeking to exploit industrial control systems (ICS) and operations technology (OT) for a variety of purposes. As adversaries and thei...r sponsors invest more effort and money into obtaining effects-focused capabilities, the risk of a disruptive or destructive attack on the electric sector significantly increases. Selena Larson from Dragos joins us to discuss their new report North American Electric Cyber Threat Perspective. The report can be found here: North American Electric Cyber Threat Perspective Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Thank you. The research we're discussing today is titled The North American Electric Cyber Threat Perspective.
So previously, we published one on oil and gas from a global perspective.
And this one specifically focuses on North American electric and the threat to electric utilities here in the U.S. as well as the rest of North America.
What this does essentially is it provides an overview of the threat landscape. It takes all a lot of the intelligence that we work on on my team as a threat intelligence team and provides a sort of public
look at, you know, some of the adversaries that we're tracking, some of the activity that we have
seen targeting electric, as well as potential future disruption, as well as potential attack
scenarios that could potentially affect North American electric in the future.
scenarios that could potentially affect North American electric in the future.
Well, one of the things that you highlight early on in the report is you sort of outline the various activity groups that you're tracking here. Can we go through those together and maybe
just give us a taste of what each of one of those groups seems to be about?
So we track seven activity groups that target electric utilities in North
America. When we say activity groups, this is essentially a collection of observables from
the adversary, their infrastructure, their behaviors, a lot of the activity that we've
seen, and we group them together. Dragos does not attribute in that we don't necessarily say
this activity was tied specifically to Iran or this activity was tied to this individual criminal enterprise.
We focus our intelligence on enabling defenders to do their job better. like that, it doesn't necessarily matter from a defender perspective because you can really focus
on defending against the behaviors regardless of the entity necessarily that's behind them.
So that's what I'm talking about when we talk about activity groups. So Parasite is one of
the newest groups that we have identified and we just released in this report because this group
does target North American electric. So they also target aerospace and oil
and gas entities. They generally have a broader geographic targeting than some of the other
activity groups that we track. But what's interesting with this group is that they
largely focus on leveraging known VPN or virtual private network vulnerabilities for initial access.
So some of your listeners might be familiar with the virtual private network or VPN vulnerabilities that were released back in 2019.
A lot of intelligence and government intelligence agencies have published reports discussing that APT or advanced threat actors are targeting these vulnerabilities for initial access.
So it's not just Parasite that is using VPNs for initial access, but we're kind of seeing this activity
from other groups that don't necessarily
target critical infrastructure.
So kind of an interesting data point for us.
But again, this is a newly observed group.
We do assess that this group
might facilitate initial access
or further operations for a group
that we call Magnalium.
So I can talk about Magnalium now.
It's kind of an interesting group. So generally, they have targeted energy and aerospace for a while since at least 2013. And largely, they were active and mostly focusing on oil and gas and energy companies in expanding its targeting to include electric utilities in the U.S. and North America.
This group does not, we haven't really assessed it to have sort of an ICS specific capability.
So like we've seen in previous attacks that leverage ICS malware to disrupt operations or, you know, cause really damaging consequences, but they are very highly interested on industrial control systems,
entities that have operations
that fall in sort of the industrial space.
And it is interesting that we have seen them expand
to North America.
Xenotime is another activity group that we have tracked
who has expanded its targeting to North America as well.
We actually reported on that back in 2019.
We do consider to be one of the most, if not the most, dangerous threat to industrial control systems.
This is the group that was responsible for the disruptive tricis malware attack back in
August of 2017. They were able to sort of infiltrate the operations at an oil and gas
facility in the Middle East and
deployed highly specific targeted malware in that environment to cause a disruptive effect.
We do assess that Zennertime is also involved in compromising ICS vendors and manufacturers.
This does demonstrate a potential supply chain threat that is certainly concerning to industrial
as well. Then we have Dymalloy.
So Dymalloy we assess to be a pretty aggressive and capable activity group. We do believe they
have the ability to achieve long-term and persistent access both to the IT side of things
as well as operational environments, generally for intelligence collection and potentially future
disruption events. This activity group does have some associations or overlaps with Dragonfly 2.0, as well as Berserk Bear. And the group's victims do include electric
utilities and oil and gas in Turkey, Europe, as well as here in North America. We have seen
Dimeloy expanding its targeting to include the APAC region, just based on some newly identified
malware samples. And then we have Electrum. So
Electrum is interesting. So this is the group that is responsible for the crash override events in
Ukraine in 2016. This group largely focuses on electric utilities and mostly targets entities
in Ukraine. But it is one of the most sophisticated in that it does have the capability to sort of
develop and deploy ICS-specific malware within
an operations environment, right? So the crash override malware was pretty unique. It was pretty
interesting. It had a lot of ICS-specific modules coded into the malware. So they were able to sort
of deploy that within operations to have this really destructive effect. So Raspite is another
one that targets electric utilities in the U.S., as well as some
government entities in the Middle East. This one, we haven't seen new Raspite activity since about
mid-2018, so not a whole lot to say on that group. But Alanite is another interesting one. It targets
business and ICS networks in the U.S., CK, largely electric utility sectors. We believe that this group
performs reconnaissance in operational environments to potentially stage disruptive effects. But again,
this is another group that does not necessarily have an ICS specific capability. We haven't
observed Alanite having one at this time. So Covalite is another one that actually hasn't
seen a ton of activity recently, but we include any groups that don't necessarily have a ton of activity just because we are ongoing and we are tracking their behaviors.
And we'll provide updates to customers, of course, as soon as we identify any new stuff.
But they have previously compromised networks associated with electric energy, largely in Europe, East Asia, as well as here in North America.
Again, largely IT-focused
stuff, so no ICS-specific capabilities. And honestly, there really isn't a lot of evidence
or indications that this group actually remains active from an electric or ICS targeting perspective.
Interesting.
Cryscene is another one. So this group developed from a campaign, an espionage campaign that really gained attention
after the Shamoon attacks back in 2012 that impacted Saudi Aramco. This group has targeted
petrochemical, oil and gas, as well as electric generation sectors. We haven't seen them yet
targeting North America, North American ICS specifically, but they have seemed to have
shifted beyond the initial focus of the Gulf region in the Middle East.
And we do assess that they remain active as well as evolving.
And then finally, we have Wassonite.
So Wassonite targets electric generation, nuclear energy manufacturing and research entities in India and likely South Korea and Japan. We actually identified Wassonite as the activity group that was responsible for
the compromise of the Indian power company back in the fall of 2019. They largely rely on detract
malware that was observed in that campaign. And we believe they've operated since at least 2018.
Now, in terms of the names that you're using here for these various groups, are these names internal to Dragos? Is there a recognition of these names throughout the industry? How does that all land? However, we do note that they have links to other activity groups. So threat intelligence, because so much of it operates outside of the public purview,
we can't necessarily match one to one.
This group is definitely the group that FireEye tracks as APT 10.
That's why I hear a lot of people who are, you know, sort of frustrated with the naming
conventions when we're talking about adversaries or activity groups or, you know, threat groups, what have you. But fundamentally, it's a visibility issue,
right? So we don't have the same visibility as any other threat intelligence company,
and they don't have the same visibility as us. So we can say, you know, in our reporting that
Magnolium, for instance, and Magnolium is a good one. Magnolium does have links or sort of some of the behavior overlaps with a group
known as APT33. But we can't say, you know, it's a one for one match specifically because we do not
have the same visibility as the company that calls it APT33. So yeah, so oftentimes, you know,
we hear the public kind of complain, like, why don't we have one name for everything?
But there is some science behind that reason. But yeah, so all of these groups, we do come up with the names internally. And we'll
provide links to other groups when it does have some overlap. I see. Well, I mean, that's sort of
the cast of characters. Can you take us through some of the overall trends and the things that
you're seeing when it comes to these groups? Definitely. So one of the most concerning trends
that we have observed with some of our activity groups is this concept of threat proliferation.
So we have seen some of our adversaries, including Magnalium and Zenotime, who historically targeted
on oil and gas entities, largely in the Middle East, and expanding their targeting and their
activity into North American electric.
So this report shows that activity groups are not necessarily focused on one,
either geography or vertical specific.
So that means any operators that are operating in the industrial space have to be aware of all activity groups that are targeting any industrial-related entity
because at any point they could shift their targeting and begin to target their vertical. What we're seeing here too, is it's not that they're changing
their behaviors necessarily as they're changing up this targeting, right? So if you as a defender
are aware of the behaviors, the tactics, techniques, and procedures that are used by the various
groups, when they do decide to focus their energy
and their attention and their efforts
on your specific industry,
you can be defended
because previously you have been aware of this behavior,
you have incorporated a lot
of the defensive recommendations.
And so when they turn their sights on you,
it might not be as successful
because they're using similar behaviors.
Yeah, that's interesting.
I mean, I kind of think,
this is I'm sure an imperfect analogy, but I kind of think, I'm sure an imperfect
analogy, but I kind of think of, you know, if you think of all the different stores at a mall,
you know, if someone's shoplifting at the, you know, the Apple store, the folks down at the
Disney store down the hall, they're still going to have to worry about shoplifters, even though
they're in different, you know, lines of the things that they sell. But at the end of the day,
they're all retailers. Yeah. And maybe the shoplifter puts it in their right-hand pocket, right?
Right, right.
So you can train your video cameras on that particular area
or they normally go to this one particular toy section, things like that, yeah.
Right, right.
And so is it true that there's a lot of overlap
or a significant enough amount of overlap in the types of tools and things that the folks in the ICS space use, regardless of what flavor of ICS they're dealing with, that that leads to some of this crossover?
Yeah, it's largely similar. Yeah. And so that's kind of why while we were largely focusing the report on electric utilities, for instance,
it really does apply kind of across the board here. It was kind of the same for Zenotime when
we're talking about oil and gas targeting, right? So Zenotime had previously targeted ONG,
but it expanded into electric utilities. The same could potentially be said for entities that,
you know, will target manufacturing or will target electric. And then they, you know,
kind of expand their behaviors to these other different verticals.
So we really kind of want to drive home the point that it's not necessarily,
you're not safe because you're not a target.
Targeting can change at any time.
And what remains fairly consistent is the behaviors that these groups are exhibiting.
Now, the behaviors change between activity groups. So, for instance, we're talking about Parasite using VPN targeting,
potentially talking about Magnellan using password spraying, you know, Xenotime having the ability to
sort of burrow into the control systems network and execute very specific behaviors within the
control system to deploy its trisis malware malware. So individual groups have individual tactics,
but, you know, as a whole, they largely stay the same. And that's, you know, this idea of
threat behaviors or the TTPs, right? You know, when you kind of understand those and defend
against those, hopefully you can be defended against, you know, an adversary when they decide
to set their sights on you. Now, a good part of the report goes through important information about the North American
electric system itself. Can you give us an overview? What are the things that's important
for people to understand about the system? Oftentimes, you know, when folks will talk
about the North American electric system, they use this idea of the electric grid,
sort of an electric grid kind of being a single entity. That's a little bit of a misnomer.
It's actually generally referred to as the bulk electric system. So this refers to the way the
power is generated, transmitted, and distributed all across North America. And what I really want
to kind of point out here is that the entire bulk electric system is very complex, first of
all. So this idea of potentially flipping a switch and taking down the entire quote unquote electric
grid is not the reality. It's also very resilient, right? So you have a lot of threats to the bulk
electric system. It's not just from a cyber perspective, right? So anytime there's a severe
storm, we're talking hurricanes, for instance, that could be a big one.
Or, you know, other natural threats like earthquakes that can cause major disruptions.
We've seen fires, certainly, that have major impacts on the availability of power in certain areas.
Squirrels. Let's not forget squirrels.
Of course. Yes. Squirrels. Yes. Animal. Fire ants. That's another big one, actually.
Really? Okay. I hadn't heard. Oh, interesting. Yeah, yeah, yeah.
So you have a lot of these threats that aren't necessarily exclusively cyber.
And so they have built up this extremely resilient and segmented system.
I also want to point out here, too, that a lot of electric power entities in North America and certainly in the United States have to adhere to cybersecurity
standards or regulations that are essentially put in place. These are basically created by the FERC,
the Federal Energy Regulatory Commission, and the North American Electric Reliability Corporation.
So these are the sort of governing bodies of the safety and security of the electric system,
and there are cyber regulations that are in place. That's
important to note because you don't really see that with other industrial operations necessarily,
right? Like you don't have this sort of thing that they're called the critical infrastructure
protection regulations. You don't have SIP regulations on say manufacturing, for instance.
And so they do a pretty good job of sort of establishing these sort of like baseline
cybersecurity practices that you have to sort of adhere to or you could potentially face, you know, various consequences.
I believe, you know, they've levied some pretty hefty financial consequences up in the millions even over the last year because they were sort of not adhering to these standards.
And so there are mostly three components that we discussed in our report. So
you have the generation piece of the electric system, the transmission piece, and then you
have the distribution piece. And that's what actually gets the electricity out to your homes
and businesses and helps you listen to your phone that you just charged and are listening to this
podcast on. And so we kind of use that as a base to sort of break up the threat landscape
from these different generation, transmission, and distribution phases.
Because we do see adversaries targeting different parts of the electric system,
it's not all targeted on generation or distribution necessarily.
And so in the report, we do kind of talk about some adversaries who have targeted specific pieces of the grid system.
I think it's interesting how different threat actors have their hand in different areas.
And the things that you've been tracking, they seem to have different specialties of which parts of the grid they're most interested in.
Certainly. Yeah. Yeah. So for instance, generation is a really good example. We have seen, you know,
three activity groups that have either the intent or capability to potentially disrupt this portion
of the bulk electric system. So, Diamond Loy is an interesting, good example. This group actually
did target generation facilities and was able to
obtain screenshots of sensitive ICS data. This includes HMI, so human machine interfaces, for
instance, or sensitive documentation that kind of describes point operations. And so we haven't seen
them actually execute an attack like we've seen in other parts of the world, but we haven't seen
them have this sort of specialized ICS-specific malware capabilities.
But certainly the information that they could glean from targeting those types of facilities
could help them potentially prepare for a more disruptive or invasive attack.
Well, with the time we have left together,
can you take us through some of the recommendations that you all have made here?
What are some of the best ways for organizations who are in this line of business to be able to protect themselves?
Yeah, so we provided a bunch of defensive recommendations. And I want to make it clear
to you, it's not just for electric utilities. We did certainly map them to any critical
infrastructure protection regulations that made sense in this piece. But I think, you know, any sort of industrial operator can read this report and kind of
an overview of the recommendations that we provide and take it to their operators and say, hey, like,
here are some of the things that Dragos is saying we should be doing. What are we doing?
And one of the big ones is this idea of consequence-driven security assessments and
protecting, you know, the crown jewels, so to speak.
So this would be identifying and prioritizing
your most critical assets and connections
and trying to identify the actual consequences of cyber attacks.
What happens if they are able to sort of compromise this crown jewel?
So third parties is another big one that we've seen
from our adversaries sort of targeting those sensitive and trustworthy connections between whether it's a vendor and a utility or, you know, a contractor or an engineer that might be virtually logging into whatever control system environment or their workstation, let's say.
So you really want to make sure that third-party connections and ICS
interactions are monitored and logged from the sort of like trust but verify mindset. You really
want to make sure that only the people who you are allowing to or you want to be accessing
your networks are. This is also too when we're talking about like third parties or supply chain.
A lot of times you think about the supply chain piece as hardware backdoors into some sort of device that goes on your network,
and then they can kind of infiltrate or scramble around from there.
I kind of want to point out here, too, that the idea of supply chain or the idea of this sort of third-party access
is not unique to these sort of very sophisticated and complicated and largely overblown hardware backdoors.
Not to say that that's not a threat, right?
So we're talking about, for instance, Daimler lawyer Alnit is a good example, right? Sort of,
you know, targeting or going after the vendors and contractors to try and get in sideways and
use those trusted relationships to pretend to be a legitimate or trusted third party.
So that encompasses, you know, the supply chain threat. Response plans are really important. That's something that we've certainly seen, not just for ICS, but, you know, across the board, we're talking about enterprise as well with all of these ransomware attacks that we've certainly seen an uptick in over the last year.
plan, A, and B, actually practicing and, you know, like doing a dry run of these response plans can really help the investigations, really lower time to response as well. So that's super important.
You know, it's a very interesting report. And I think one of the things
that I took away from it is the ability to put everything in perspective, that yes, these things are serious.
But I think particularly with the electrical system, it's easy for people's imagination to
run away with themselves and to kind of imagine a worst case scenario. And my sense here with
this report is that you're putting across the message that yes, these things are serious, but there's no need to panic.
Let's stay sober about these and address them in a very sort of systematic and rational way.
Yes, definitely.
Thank you for picking up on that.
You know, it is really important to us at Dragos to combat this idea of fear, uncertainty, and doubt.
The InfoSec community calls it FUD,
right? This idea of the sky is falling when anything happens. The threats are real. The
threats are very serious. Certainly the things that we have seen adversaries capable of doing,
both in the Middle East and Ukraine, is very concerning. We are seeing an interest,
an uptick in interest in industrial companies in the industrial space. But yes, this message of don't panic, really getting the lay of the land here, really talking
about the activity that we're seeing, right?
So for the most part, our adversaries that we're observing don't necessarily have an
ICS-specific capability like we have seen with Zenitime and Electrum.
And also this idea that there are really good people who work in this space
who are doing really good work and hyper-focused
on protecting our critical infrastructure,
protecting electric utilities here in North America.
You know, like I said,
the threats are not just coming from a cyber place.
They're also coming from a physical space as well.
And there are a ton of people doing really good work
to make sure that we are resilient, that we can respond to these things, that we have processes in place to be able to
defend ourselves from whatever the threat may be. That's Selena Larson from Dragos. The report is
titled The North American Electric Cyber Threat Perspective. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Thanks for listening. Thank you.