Industrial control system security firm Dragos detailed newly revealed hacking activity that it has tracked and attributed to a group of state-sponsored hackers it calls Magnallium. The same group is also known as APT33, Refined Kitten, or Elfin and has previously been linked to Iran.
Dragos says it has observed Magnallium carrying out a broad campaign of so-called password-spraying attacks, which guess a set of common passwords for hundreds or even thousands of different accounts, targeting US electric utilities as well as oil and gas firms.
A related group that Dragos calls Parisite has worked in apparent cooperation with Magnallium, the security firm says, attempting to gain access to US electric utilities and oil and gas firms by exploiting vulnerabilities in virtual private networking software. The two groups' combined intrusion campaign ran through all of 2019 and continues today.
While the Iranians are a long way off from digitally inducing a blackout with these techniques it is a sign that they are working on it.
Dragos founder and former NSA critical infrastructure threat intelligence analyst Rob Lee said: "My concern with the Iran situation is not that we're going to see some new big operation spin up. My concern is with access that groups might already have."
Dragos analyst Joe Slowik said: "Doing things in such a widespread fashion, while it seems untargeted, sloppy, or noisy, allows them to try to build up relatively quickly and cheaply multiple points of access that can be extended into follow-on activity at a point of their choosing.”
Iran's hackers have reportedly breached US electric utilities before, laying the groundwork for potential attacks on US electric utilities, as have Russia and China.