Iranian Hackers Have Been ‘Password-Spraying’ the US Grid 1

In the wake of the US assassination of Iranian general Qasem Soleimani and the retaliatory missile strike that followed, Iran-watchers have warned that the country could deploy cyberattacks as well, perhaps even targeting US critical infrastructure like the electric grid. A new report lends some fresh details to the nature of that threat: By all appearances, Iranian hackers don’t currently have the capability to start causing blackouts in the US. But they’ve been working to gain access to American electric utilities, long before tensions between the two countries came to a head.

On Thursday morning, industrial control system security firm Dragos detailed newly revealed hacking activity that it has tracked and attributed to a group of state-sponsored hackers it calls Magnallium. The same group is also known as APT33, Refined Kitten, or Elfin, and has previously been linked to Iran. Dragos says it has observed Magnallium carrying out a broad campaign of so-called password-spraying attacks, which guess a set of common passwords for hundreds or even thousands of different accounts, targeting US electric utilities as well as oil and gas firms.

A related group that Dragos calls Parisite has worked in apparent cooperation with Magnallium, the security firm says, attempting to gain access to US electric utilities and oil and gas firms by exploiting vulnerabilities in virtual private networking software. The two groups’ combined intrusion campaign ran through all of 2019 and continues today.

Dragos declined to comment on whether any of those activities resulted in actual breaches. The report makes clear, though, that despite the IT system probes they saw no sign that the Iranian hackers could access the far more specialized software that controls physical equipment in electric grid operators or oil and gas facilities. In electric utilities in particular, digitally inducing a blackout would require far more sophistication than the techniques Dragos describes in its report.

But given the the threat of Iranian counterattacks, infrastructure owners should nonetheless be aware of the campaign, argues Dragos founder and former NSA critical infrastructure threat intelligence analyst Rob Lee. And they should consider not just new attempts to breach their networks but also the possibility that those systems have already been compromised. “My concern with the Iran situation is not that we’re going to see some new big operation spin up,” Lee says. “My concern is with access that groups might already have.”

The password-spraying and VPN hacking campaigns that Dragos has observed aren’t limited to grid operators or oil and gas, cautions Dragos analyst Joe Slowik. But he also says Iran has shown “definite interest” in critical infrastructure targets that include electric utilities. “Doing things in such a widespread fashion, while it seems untargeted, sloppy, or noisy, allows them to try to build up relatively quickly and cheaply multiple points of access that can be extended into follow-on activity at a point of their choosing,” says Slowik, who formerly served as head of the Department of Energy’s incident response team.

Iran’s hackers have reportedly breached US electric utilities before, laying the groundwork for potential attacks on US electric utilities, as have Russian and China. US hackers do the same in other countries as well. But this wave of grid probing would represent a newer campaign, following the breakdown of the Obama administration’s nuclear deal with Iran and the tensions that have mounted between the US and Iran since and only somewhat eased since Iran’s missile strike Tuesday evening.

The password-spraying campaign Dragos describes matches up with similar findings from Microsoft. In November, Microsoft revealed that it had seen Magnallium carrying out a password-spraying campaign along a similar timeline, but targeting industrial control system suppliers of the kind used in electric utilities, oil and gas facilities, and other industrial environments. Microsoft warned at the time that this password-spraying campaign could be a first step toward sabotage attempts, though other analysts have noted it may have also been aimed at industrial espionage.