U.S. Electric Grids Under Threat From 'Raspite' Hacking Group Cyberattacks

By Jason Murdock On 8/2/18 at 9:08 AM EDT

US electical lines — The sun shines over towers carrying electrical lines on August 30, 2007, in South San Francisco, California. Justin Sullivan/Getty Images

Tech & Science Hacking Cybersecurity Hackers Symantec

American companies working in the electric utility sector are currently under threat from a hacking group that cybersecurity experts have code-named RASPITE.

Dragos Inc., a company that specializes in research on critical infrastructure attacks, disclosed on Thursday that the collective is known to target entities across the U.S., Middle East, Europe, and East Asia. But it noted that intrusions on electric utility companies are limited to America, for now.

The group, which has been active since last year, uses booby-trapped websites in an attempt to steal Windows usernames and passwords. The ultimate aim, Dragos researchers believe, is to gain remote access to a victim's machine. Luckily, the hackers have not demonstrated they have the capability to compromise Industrial Control Systems (ICS) and cause blackouts.

"The activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine," the Dragos report said. In late 2015, a major electricity blackout was reported in Ukraine and malware was found on computer networks. It was a landmark cyberattack later blamed on Russia.

"While the group has not yet demonstrated an ICS capability, RASPITE's recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events," Dragos researchers warned.

The same group is known as LeafMiner by cybersecurity company Symantec. It was the focus of a report, published July 25, which analyzed its digital espionage activity in the Middle East.

According to Symantec, at least some of the hackers appeared to be based in Iran and have previously taken advantage of the leak of cybertools from the Shadow Brokers. Dragos said on Twitter that its disclosure was the first known instance of the covert group targeting ICS.

"Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them," said Sergio Caltagirone, director of threat intelligence at Dragos, in a statement sent to Newsweek via email.

"RASPITE uses common techniques which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better," he continued.

"At this time, we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups."

Caltagirone added: "Although Dragos does not conduct country-specific attribution of industrial control threats, generally threats focused on industrial control are state-sponsored due to the inherent risk, limited financial gain, and potential blow back from the operations."

Last month, an official from the Department of Homeland Security (DHS) warned that a cyber-espionage unit with links to Russia had been actively targeting U.S. utility control rooms. In March, U.S.-CERT had branded the same hacking activity a "multi-stage intrusion campaign."