For all of the nation-state hacker groups that have targeted the US power grid and even successfully breached American electricity suppliers, only the Russian military intelligence group known as Sandworm was brazen enough to trigger actual power outages and turn off the lights in Ukraine in 2015 and 2015 2016. Now a web security firm is warning that a group with ties to Sandworm's uniquely dangerous hackers has also been actively targeting the US power system for years.
On Wednesday, industrial cybersecurity firm Dragos released its annual report on the state of the security of industrial control systems, identifying four new foreign hacking groups targeting these critical infrastructure systems. According to Dragos, three of these newly named groups have targeted industrial control systems in the US. Perhaps most notable of all is a group called Dragos Kamacite, which the security company describes as working with the GRU's sandworm. Kamacite was Sandworm's "access" team in the past, write the Dragos researchers, who focused on gaining a foothold on a target network before that access was passed on to another group of Sandworm hackers who then sometimes became disruptive Have executed effects. According to Dragos, Kamacite has repeatedly targeted U.S. electricity utilities, oil and gas companies, and other industrial companies since 2017.
"You are continuously working against US electricity companies to maintain a semblance of persistence," said Dragos, vice president of threat intelligence, and former NSA analyst Sergio Caltagirone. In a few cases over those four years, Caltagirone said, the group's attempts to break the networks of these U.S. targets have been successful and have resulted in access to utilities that have been at times, if not quite persistent.
However, according to Caltagirone, Dragos has so far only confirmed successful Kamacite violations against US networks and has never seen these interventions lead to disruptive payloads in the US. But because Kamacite's story is to work as part of Sandworm's operations, which caused power outages in Ukraine not just once but twice – at the end of 2015, electricity was cut for a quarter of a million Ukrainians, and at the end of 2016 for a fraction of the capital Kiev – the US network should trigger an alarm. "Clearly, when you see Kamacite on an industrial network, or targeting industrial companies, you can't be sure that they are just gathering information. You have to assume that something else will follow," says Caltagirone. "Kamacite is dangerous for industrial control systems because when attacked, they have a connection to companies that know how to conduct destructive operations."
Dragos connects Kamacite not only in the USA, but also with European targets that go far beyond the well-known attacks in Ukraine. This includes a hacking campaign against the German electricity sector in 2017. Caltagirone adds that "between 2017 and 2018 there were some successful interventions by Kamacite in industrial environments in Western Europe".
Dragos warns that Kamacite's main intrusion tools have been spear-phishing emails containing malware payloads and brutally forcing cloud-based logins from Microsoft services such as Office 365 and Active Directory, as well as virtual private networks. Once established, the group is using valid user accounts to maintain access and has used the Mimikatz credential stealing tool to spread further on victims' networks.
"One group gets in, the other … knows what to do"
Kamacite's relationship with the hackers known as Sandworm, identified by the NSA and the US Department of Justice as Unit 74455 of the GRU, is not exactly clear. Attempts by threat intelligence companies to define different groups of hackers within shadow intelligence agencies like the GRU have always been murky. By naming Kamacite as a separate group, Dragos seeks to break down Sandworm's activities differently than others who have publicly reported on it, and to separate Kamacite as an access-oriented team from another Sandworm-related group called Electrum. Dragos describes Electrum as an "effects" team responsible for destructive payloads such as the malware known as Crash Override or Industroyer, which triggered the 2016 power outage in Kiev and was supposed to potentially disable security systems and destroy network devices.
In other words, together the groups that Dragos call Kamacite and Electrum form what other researchers and government agencies collectively call the Sandworm. "One group gets in, the other knows what to do when they get in," says Caltagirone. "And when they work separately, which we also observe, we can clearly see that neither of the two is very good at the other's job."
When WIRED reached out to other threat intelligence companies like FireEye and CrowdStrike, no one could confirm that a sandworm-related intrusion campaign reported by Dragos was targeting U.S. utilities. However, FireEye has already confirmed that a widespread US targeted intrusion campaign is linked to another GRU group called APT28 or Fancy Bear, which WIRED announced last year after receiving an FBI notification email, sent to the goals of this campaign. Dragos pointed out at the time that the APT28 campaign shared command and control infrastructure with another attack attempt that targeted a US "power unit" in 2019, according to a notice from the US Department of Energy. Given that APT28 and Sandworm have worked hand-in-hand in the past, Dragos is now determining that the energy sector will target Kamacite in 2019 as part of its larger multi-year, US-focused hacking spree.
Vanadinite and talonite
The Dragos report names two more new groups dealing with industrial control systems in the United States. The first, which she calls Vanadinite, appears to have ties to the broad group of Chinese hackers known as Winnti. Dragos blames Vanadinite for attacks that use ransomware known as ColdLock to disrupt Taiwanese victim organizations, including state-owned energy companies. But it also indicates that Vanadinite is targeting energy, manufacturing and transportation destinations around the world, including Europe, North America and Australia, in some cases by exploiting vulnerabilities in VPNs.
The second newly named group, named Dragos Talonite, also appears to have targeted North American electricity companies with malware-laced spear-phishing emails. The targeting ties in with previous malware phishing attempts known as lookback, which was identified by Proofpoint in 2019. Another group, named Dragos Stibnite, has targeted Azerbaijani electricity utilities and wind farms through phishing websites and malicious email attachments, but the US failed to hit the security company's knowledge.
While none of the ever-growing lists of hacking groups targeting industrial control systems around the world appear to have used those control systems to actually cause disruptive effects in 2020, Dragos warns that the sheer number of these groups is a worrying trend. Caltagiron points to a rare but relatively gross disruption that targeted a small water treatment facility in Oldsmar, Florida earlier this month where an as-yet-unidentified hacker attempted to significantly increase the level of caustic liquor in the water of the city of 15,000 residents increase. Given the lack of safeguards for these types of small infrastructure targets, a group like Kamacite could easily trigger widespread harmful effects without the expertise of a partner group like Electrum, according to Caltagirone.
That means the rise of even relatively unskilled groups is a real threat, says Caltagirone. The number of groups targeting industrial control systems has increased steadily since Stuxnet showed at the beginning of the last decade that industrial hacking with physical effects was possible. "Many groups appear and not many leave," says Caltagirone. "I feel like we're going to peak in three to four years and it's going to be an absolute disaster."
This story originally appeared on wired.com.