Iranian Hackers Are Going After A Disturbing New Physical Target
Iranian hackers are evolving their focus, targeting the so-called industrial control systems used by power grids, manufacturing and oil refineries.
According to Wired, which spoke to Microsoft ahead of a presentation at the Cyberwarcon in Virginia on November 21, the active Iranian hacking group APT33 could be laying the groundwork for physical attacks.
Get started on your cybersecurity degree at American Military University.
The Iranian group–also known as Holmium, Refined Kitten or Elfin–has been performing password spraying attacks over the last year, according to Microsoft’s research. Password spraying is a simple cyberattack that takes advantage of weak credentials by trying to access systems using common passwords.
But the group’s focus is now apparently becoming more targeted: It has narrowed its focus to just 2,000 organizations, while increasing the number of accounts targeted by around 10 times.
About half of the top 25 organizations targeted were manufacturers, suppliers or maintainers of industrial control system equipment–the systems that underpin critical infrastructure such as power grids, Microsoft’s report claims.
Wired reported that the attackers’ motivations are not clear–nor is it possible to decipher which industrial control systems they have already breached. But Microsoft security researcher Ned Moran thinks that the group wants to lay the groundwork for physically disruptive cyberattacks.
“They’re going after these producers and manufacturers of control systems, but I don’t think they’re the end targets,” Moran told Wired. “They’re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems.”
Moran admitted there is no direct evidence to demonstrate a move from espionage and reconnaissance to a physical cyberattack, but the firm’s threat intelligence group has seen incidents that suggest APT33 is laying the groundwork.
Indeed, Microsoft said the Iranian APT33 group’s fingerprints were present in multiple intrusions where the victims were later hit by Shamoon–malware used in attacks against oil companies.
Iran targets industrial control systems: A government problem
Governments are well aware of the threat posed by a cyberattack on critical infrastructure such as power grids. Discovered 10 years ago when it ravaged a nuclear facility, the Stuxnet worm is just one example. The result of this incident was a toolkit designed to specifically target the SCADA based systems that power critical infrastructure.
These organizations are vulnerable because industrial control systems were not meant to be connected to the internet. In July, I reported that the U.S. government is planning to secure power grids from cyberattacks using “retro” technologies.
This approach would mean adversaries have to actually physically touch the equipment, making cyberattacks much more difficult, according to a press release launched as the Securing Energy Infrastructure Act (SEIA), passed the Senate floor.
And the threat is wide-ranging. Sam Curry, chief security officer at Cybereason warns that most countries are “highly vulnerable” to cyber-assaults on critical infrastructure. “Critical infrastructure is generally old, poorly patched and managed, and was designed before cyber threats were a significant concern. This means the ability to cause damage is significant if the attacker knows what they are doing.”
Javvad Malik, security awareness advocate at KnowBe4 agrees, saying these kinds of attacks are “definitely things governments should be worried about.”
“Once adversaries gain access to industrial control systems and similar utilities, there is a wide range of attacks they can conduct. The most worrying is the total disruption of the power grid, but there could be other scenarios such as using access to gain intel on energy users.”
Escalating tensions between the U.S. and Iran
The Microsoft report also comes at a time of escalating tensions between the U.S. and Iran, and demonstrates the increasing threat posed by the nation.
“Oh my, how APT33 has grown up,” comments CompTIA global faculty member Ian Thornton-Trump. “From early DDoS (distributed denial of service) attacks to website defacements with perhaps a side hustle of bitcoin stealing Iran is quickly–through the use of Russian and Chinese trainers–becoming a highly competent cyber adversary.”
Thornton-Trump points out that “right now Iran has many powerful geopolitical rivals–Saudi Arabia, Israel–as well as many proxy groups they need to support.”
“Iran has fully embraced cyber as part of its plan to move its political agenda, while at the same time isolating the county from the threat of an all-out shooting war,” Thornton-Trump says.
Thornton-Trump says Iran was a “careful student of Estonia, Georgia and Ukraine Russian cyber operations” and has engaged the best Russian cyber operators to boost capabilities. “The results of the Iranian attacks have been significant and costly.”
At a time when cyber warfare is a very real threat, attacks on critical infrastructure are certainly something be concerned about. It’s down to governments, critical infrastructure organizations and security providers to ensure the systems underlying power grids are as secure as possible.