Know Thine Enemy - Identifying North American Cyber Threats.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:25] And now a word from our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Come see Juniper at RSA 2020 in booth 6161 to see why NSS Labs says Juniper is back in security. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:01:19] Thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything – all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Selena Larson: [00:01:59] Dragos puts together threat perspectives that take a look at the threat landscape from an industrial cybersecurity perspective across geographies as well as verticals.
Dave Bittner: [00:02:09] That's Selena Larson. She's a cyber threat intelligence analyst at Dragos. The research we're discussing today is titled, "The North American Electric Cyber Threat Perspective."
Selena Larson: [00:02:20] So, previously we published one on oil and gas from a global perspective. And this one specifically focuses on North American electric and the threat to electric utilities here in the US, as well as the rest of North America. What this does essentially is it provides an overview of the threat landscape. It takes a lot of the intelligence that we work on on my team as a threat intelligence team, and provides a sort of public look at, you know, some of the adversaries that we're tracking, some of the activity that we have seen targeting electric, as well as potential future disruption, as well as potential attack scenarios that could potentially affect North American electric in the future.
Dave Bittner: [00:03:00] One of the things that you highlight early on in the report is you sort of outline the various activity groups that you're tracking here. Can we go through those together and maybe just give us a taste of what each of one of those groups seems to be about?
Selena Larson: [00:03:16] So, we track seven activity groups that target electric utilities in North America. When we say activity groups, this is essentially a collection of observables from the adversary, their infrastructure, their behaviors, a lot of the activity that we've seen, and we group them together. Dragos not attribute, in that we don't necessarily say this activity was tied specifically to Iran or this activity was tied to this individual criminal enterprise. We focus our intelligence on enabling defenders to do their job better. And from our perspective, the sort of tying adversaries to states or criminal elements, things like that – it doesn't necessarily matter from a defender perspective, because you can really focus on defending against the behaviors regardless of the entity necessarily that's behind them. So that's what I'm talking about when we talk about activity groups.
Selena Larson: [00:04:08] So, is one of the newest groups that we have identified and we just released in this report, because this group does target North American electric. So, they also target aerospace and oil-and-gas entities. They generally have a broader geographic targeting than some of the other activity groups that we track. But what's interesting with this group is that they largely focus on leveraging known VPN or virtual private network vulnerabilities for initial access.
Selena Larson: [00:04:35] So, some of your listeners might be familiar with the virtual private network or VPN vulnerabilities that were released back in 2019. A lot of intelligence and government intelligence agencies have published reports discussing that APT or advanced threat actors are targeting these vulnerabilities for initial access. So, it's not just PARISITE that is using VPNs for initial access, but we're kind of seeing this activity from other groups that don't necessarily target critical infrastructure. So, kind of an interesting data point for us.
Selena Larson: [00:05:05] But again, this is a newly observed group. We do assess that this group might facilitate initial access or further operations for a group that we call MAGNALLIUM. So I can talk about MAGNALLIUM now...
Dave Bittner: [00:05:17] Yeah.
Selena Larson: [00:05:18] ...It's kind of an interesting group. So, generally they have targeted energy and aerospace for a while – since at least 2013. And largely, they were active and mostly focusing on oil and gas and energy companies in Saudi Arabia, or entities with business interests in Saudi Arabia. But we actually identified recently MAGNALLIUM increasing and expanding its targeting to include electric utilities in the US in North America. This group does not – we haven't really assessed it to have sort of an ICS-specific capability, so, like we've seen in previous attacks that leverage ICS malware to disrupt operations or, you know, cause really damaging consequences. But they are very highly interested on industrial control systems, entities that have operations that, you know, fall in sort of the industrial space. And it is interesting that we have seen them expand to North America.
Dave Bittner: [00:06:10] Hmm. Mm-hmm.
Selena Larson: [00:06:11] XENOTIME is another activity group that we have tracked who has expanded its targeting to North America as well. We actually reported on that back in 2019. We do consider it to be one of the most – if not the most – dangerous threat to industrial control systems. This is the group that was responsible for the destructive TRISIS malware attack back in August of 2017. They were able to sort of infiltrate the operations at an oil and gas facility in the Middle East, and deployed highly specific targeted malware in that environment to cause a disruptive effect. We do assess that XENOTIME is also involved in compromising ICS vendors and manufacturers. This does demonstrate a potential supply chain threat that is certainly concerning to industrial as well.
Selena Larson: [00:06:57] Then we have DYMALLOY. So, DYMALLOY we assess to be pretty aggressive and capable activity group. We do believe they have the ability to achieve long term and persistent access, both to the IT side of things as well as operational environments, generally for intelligence collection and potentially future disruption events. This activity group does have some associations or overlaps with Dragonfly 2.0 as well as Berserk Bear, and the group's victims do include electric utilities and oil and gas in Turkey, Europe, as well as here in North America. We have seen DYMALLOY expanding its targeting to include the APAC region, just based on some newly identified malware samples.
Selena Larson: [00:07:39] And then we have ELECTRUM. So, ELECTRUM is interesting. So, this is the group that is responsible for the CRASHOVERRIDE events in Ukraine in 2016. This group largely focuses on electric utilities and mostly targets entities in Ukraine. But it is one of the most sophisticated in that it does have the capability to sort of develop and deploy ICS-specific malware within an operations environment, right? So, the CRASHOVERRIDE malware – pretty unique, it was pretty interesting. It had a lot of ICS-specific modules coded into the malware, so they were able to sort of deploy that within operations to have this really disruptive effect.
Selena Larson: [00:08:16] So, RASPITE is another one that targets electric utilities in the US, as well as some government entities in the Middle East. This one, we haven't seen new RASPITE activity since about mid-2018. So, not a whole lot to say on that group.
Selena Larson: [00:08:32] ALLANITE is another interesting one. It targets business and ICS networks in the US, UK – largely electric utility sectors. We believe that this group performs reconnaissance in operational environments to potentially stage disruptive effects. But again, this is another group that does not necessarily have an ICS-specific capability. We haven't observed ALLANITE having one at this time.
Selena Larson: [00:08:55] So, COVELLITE is another one that actually hasn't seen a ton of activity recently, but we include any groups that don't necessarily have a ton of activity just because we are ongoing and we are tracking their behaviors, and we'll provide updates to customers, of course, as soon as we identify any new stuff. But they have previously compromised networks associated with electric energy, largely in Europe, East Asia, as well as here in North America. Again, largely IT-focused, so no ICS-specific capabilities. And honestly, there really isn't a lot of evidence or indications that this group actually remains active from an electric or ICS targeting perspective.
Dave Bittner: [00:09:33] Interesting.
Selena Larson: [00:09:33] CHRYSENE is another one. So, this group developed from a campaign, an espionage campaign that really gained attention after the Shamoon attacks back in 2012 that impacted Saudi Aramco. This group has targeted petrochemical, oil and gas, as well as electric generation sectors. We haven't seen them yet targeting North America – North American ICS specifically – but they have seemed to have shifted beyond the initial focus of the Gulf region in the Middle East, and we do assess that they remain active as well as evolving.
Dave Bittner: [00:10:04] Hmm.
Selena Larson: [00:10:06] And then finally, we have WASSONITE. So, WASSONITE targets electric generation, nuclear energy, manufacturing, and research entities in India, and likely South Korea and Japan. We actually identified WASSONITE as the activity group that was responsible for the compromise of the Indian power company back in the fall of 2019. They largely rely on Dtrack malware that was observed in that campaign, and we believe they've operated since at least 2018.
Dave Bittner: [00:10:35] Now, in terms of the names that you're using here for these various groups, are these are these names internal to Dragos? Is there a recognition of these names throughout the industry? How does that all land?
Selena Larson: [00:10:50] Right. So, we do have internal names specifically for Dragos. However, we do note if they have links to other activity groups. So, with threat intelligence, because so much of it operates outside of the public purview, we can't necessarily match one-to-one this group is definitely the group that FireEye tracks as APT10. That's why I hear a lot of people who are sort of frustrated with the naming conventions when we're talking about adversaries or activity groups or threat groups, what have you...
Dave Bittner: [00:11:20] Right.
Selena Larson: [00:11:21] ...But fundamentally, it's a visibility issue, right? So, we don't have the same visibility as any other threat intelligence company, and they don't have the same visibility as us. So, we can say, you know, in our reporting that MAGNALLIUM, for instance – so, MAGNALLIUM is a good one. MAGNALLIUM does have links or sort of some of the behavior overlaps with a group known as APT33. But we can't say, you know, it's a one-for-one match specifically, because we do not have the same visibility as the company that calls it APT33.
Dave Bittner: [00:11:50] I see.
Selena Larson: [00:11:51] Yeah. So, oftentimes, you know, we hear the public kind of complain, like, why don't we have one name for everything? But there is some science behind that reason. But yeah, so all of these groups, we do come up with the names internally, and we'll provide links to other groups when it does have some overlap.
Dave Bittner: [00:12:07] I see. Well, I mean, that's sort of the cast of characters. Can you take us through some of the overall trends and the things that you're seeing when it comes to these groups?
Selena Larson: [00:12:16] Definitely. So, one of the most concerning trends that we have observed with some of our activity groups is this concept of threat proliferation. So, we have seen some of our adversaries, including MAGNALLIUM and XENOTIME – who historically targeted on oil and gas entities largely in the Middle East – expanding their targeting and their activity into North American electric. So, this report shows that activity groups are not necessarily focused on one either geography or vertical specific. So that means any operators that are operating in the industrial space have to be aware of all activity groups that are targeting any industrial-related entity, because at any point they could shift their targeting and begin to target their vertical.
Dave Bittner: [00:13:02] Hmm.
Selena Larson: [00:13:02] What we're seeing here, too, is it's not that they're changing their behaviors, necessarily, as they're changing up this targeting, right? So, if you, as a defender, are aware of the behaviors, the tactics, techniques, and procedures that are used by the various groups, when they do decide to focus their energy and their attention and their efforts on your specific industry, you can be defended, because previously you have been aware of this behavior, you've incorporated a lot of the defensive recommendations. And so, when they turn their sights on you, it might not be as successful, because they're using similar behaviors.
Dave Bittner: [00:13:36] Yeah, that's interesting. I mean, I kind of think – this is, I'm sure, an imperfect analogy – but I kind of think of, you know, if you think of all the different stores at a mall. You know, if someone's shoplifting at the, you know, the Apple store, the folks down at the Disney store down the hall, they're still going to have to worry about shoplifters, even though they're in different, you know, lines of the things that they sell. But at the end of the day, they're all retailers.
Selena Larson: [00:13:59] Yeah. And maybe the shoplifter puts it in their right-hand pocket. Right? (Laughs)
Dave Bittner: [00:14:04] Right.
Selena Larson: [00:14:04] You can kind of – so you can train your video cameras on that particular area, or they normally go to, you know, this one particular toy section. Things like that. Yeah.
Dave Bittner: [00:14:13] Right. And so is it – I mean, is it true that there's a lot of overlap, or a significant enough amount of overlap in the types of tools and things that the folks in the ICS space use, regardless of what flavor of ICS they're dealing with, that that leads to some of this crossover.
Selena Larson: [00:14:31] Mm-hmm. Yeah. It's largely similar, yeah. So, and that's kind of why, while we were largely focusing the report on electric utilities, for instance, it really does apply kind of across the board here. It was kind of the same for XENOTIME when we were talking about oil and gas targeting, right? So XENOTIME had previously targeted O&G, but it expanded into electric utilities. The same could potentially be said for entities that, you know, will target manufacturing, or will target electric. And then they, you know, kind of expand their behaviors to these other different verticals. So, we really kind of want to drive home the point that it's not necessarily – you know, you're not safe because you're not a target. Targeting can change at any time. And what remains fairly consistent is the behaviors that these groups are exhibiting.
Selena Larson: [00:15:17] Now, the behaviors change between activity groups. And so, for instance, we're talking about PARISITE using VPN targeting, potentially talking about MAGNALLIUM using password spraying, you know, XENOTIME having the ability to sort of burrow into the control systems network and execute very specific behaviors within the control system to deploy its TRISIS malware. So, individual groups have individual tactics, but, you know, as a whole, they largely stay the same. And that's, you know, this this idea of of threat behaviors or the TTPs, right? You know, when you kind of understand those and defend against those, hopefully you can be defended against, you know, an adversary when they decide to set their sights on you.
Dave Bittner: [00:15:58] Now, a good part of the report goes through important information about the North American electric system itself. Can you give us an overview? What are the things that's important for people to understand about the system?
Selena Larson: [00:16:12] Oftentimes, you know, when folks will talk about the North American electric system, they use this idea of the electric grid – sort of an electric grid kind of being a single entity. That's a little bit of a misnomer. It's actually generally referred to as the "bulk electric system." So, this refers to the way the power is generated, transmitted, and distributed all across North America. And what I really want to kind of point out here is that the entire bulk electric system is very complex, first of all, so this idea of potentially flipping a switch and taking down the entire quote unquote, "electric grid" is not the reality.
Dave Bittner: [00:16:46] Yeah.
Selena Larson: [00:16:48] It's also very resilient, right? So, you have a lot of threats to the bulk electric system. It's not just from a cyber perspective, right? So, anytime there's a severe storm – we're talking hurricanes, for instance. That can be a big one. Or, you know, other natural threats like earthquakes that can cause major disruptions. We've seen fires, certainly, that have major impacts on the availability of power in certain areas.
Dave Bittner: [00:17:10] Squirrels. Let's not forget squirrels.
Selena Larson: [00:17:12] Of course! Yes Squirrels, yes...
Dave Bittner: [00:17:14] (Laughs)
Selena Larson: [00:17:14] ...Animals, fire ants – that's another big one, actually.
Dave Bittner: [00:17:16] Really?
Selena Larson: [00:17:16] Yeah. Yeah.
Dave Bittner: [00:17:17] Oh, interesting.
Selena Larson: [00:17:20] So, you have a lot of these threats that aren't necessarily exclusively cyber. And so, they have built in this very – built up this extremely resilient, segmented system. I also want to point out here, too, that a lot of electric power entities in North America and certainly in the United States have to adhere to cybersecurity standards or regulations that are essentially put in place. These are basically created by the FERC – the Federal Energy Regulatory Commission – and the North American Electric Reliability Corporation. So, these are the sort of governing bodies of the safety and security of the electric system, and there are cyber regulations that are in place.
Selena Larson: [00:18:00] That's important to note because you don't really see that with other industrial operations necessarily, right? Like, you don't have the sort of same – they're called the Critical Infrastructure Protection regulations. You don't have CIP regulations on, say, manufacturing, for instance. And so, they do a pretty good job of sort of establishing sort of like baseline cybersecurity practices that you have to sort of adhere to or you could potentially face various consequences. I believe, you know, they've levied some pretty hefty financial consequences – up in the millions, even – over the last year, because they were sort of not adhering to these standards.
Selena Larson: [00:18:36] And so, there are mostly three components that we discussed in our report. So, you have the generation piece of the electric system, the transmission piece, and then you have the distribution piece, and that's what actually gets the electricity out to your homes and businesses and helps you listen to your phone that you just charged and are listening to this podcast on.
Dave Bittner: [00:18:56] Right, right. (Laughs).
Selena Larson: [00:18:58] And so, we kind of use that as a base to sort of break up the threat landscape from these different generation, transmission, and distribution phases. Because we do see adversaries targeting different parts of the electric system. It's not all targeted on generation or distribution necessarily. And so, in the report, we do kind of talk about some adversaries who have targeted specific pieces of the grid system.
Dave Bittner: [00:19:24] I think it's interesting how different threat actors have their hand in different areas. In the things that you've been tracking, they seem to have different specialties of which parts of the grid they're most interested in.
Selena Larson: [00:19:39] Certainly. Yeah. Yeah. So, for instance, generation is a really good example. We have seen, you know, three activity groups that have either the intent or capability to potentially disrupt this portion of the bulk electric system. So DYMALLOY is an interesting, good example. This group actually did target generation facilities and was able to obtain screenshots of sensitive ICS data. This includes HMI – so, human machine interfaces, for instance – or sensitive documentation that kind of describes plant operations. And so, we haven't seen them actually execute an attack like we've seen in other parts of the world. We haven't seen them, you know, have this sort of specialized ICS-specific malware capabilities. But certainly the information that they could glean from targeting those types of facilities could help them potentially prepare for a more disruptive or invasive attack.
Dave Bittner: [00:20:31] Well, with the time we have left together, can you take us through some of the recommendations that you all have made here? What are some of the best ways for organizations who are in this line of business to be able to protect themselves?
Selena Larson: [00:20:45] Yeah, so we provided a bunch of defensive recommendations. And I want to make it clear to you, it's not just for electric utilities. We did certainly map them to any critical infrastructure protection regulations that made sense in this piece. But I think, you know, any sort of industrial operator can read this report and kind of an overview of the recommendation that we provide, and take it to their operators and say, hey, look, here are some of the things that Dragos is saying we should be doing – what are we doing?
Dave Bittner: [00:21:11] Mm-hmm.
Selena Larson: [00:21:13] And one of the big ones is this idea of consequence-driven security assessments, and protecting, you know, the crown jewels, so to speak. And so, this would be identifying and prioritizing your most critical assets and connections, and trying to identify the actual consequences of cyberattacks. What happens if they are able to sort of compromise this crown jewel?
Selena Larson: [00:21:34] So, third parties is another big one that we've seen from our adversaries, sort of targeting those sensitive and trustworthy connections between – whether it's a vendor and a utility or, you know, a contractor or an engineer that might be virtually logging into whatever control system environment, or their workstation, let's say. And so, you really want to make sure that third-party connections and ICS interactions are monitored and logged, from this sort of, like, trust-but-verify mindset. You really want to make sure that only the people who you are allowing to or you want to be accessing your networks are.
Selena Larson: [00:22:11] This is also true when we're talking about third parties or supply chain. A lot of times you think about the supply chain piece as hardware backdoors into some sort of device that goes on your network and then they can kind of, you know, infiltrate or scramble around from there. I kind of want to point out here, too, that the idea of supply chain, or the idea of this sort of third-party access is not unique to these sort of very sophisticated and complicated and largely overblown hardware backdoors. Not to say that that's not a threat, right? So, we're talking about, for instance, DYMALLOY or ALLANITE is a good example, right? Sort of targeting or going after the vendors and contractors to try and get in sideways and use those trusted relationships to pretend to be a legitimate or trusted third party. So, that encompasses the supply chain threat.
Selena Larson: [00:22:59] Response plans are really important. That's something that we've certainly seen, not just for ICS, but across the board. We're talking about enterprise as well with all of these ransomware attacks that we've certainly seen an uptick in over the last year. But, you know, having a response plan, A, and B, actually practicing. You know, like doing a dry run of these response plans can really help the investigations, really lower time-to-response as well. So that's super important.
Dave Bittner: [00:23:28] You know, it's a very interesting report, and I think one of the things that I took away from it is the ability to put everything in perspective – that, yes, these things are serious, but I think particularly with the electrical system, it's easy for people's imagination to run away with themselves, and to kind of imagine a worst case scenario. And my sense here with this report is that you're putting across the message that, yes, these things are serious, but there's no need to panic. Let's stay sober about these and address them in a very sort of systematic and rational way.
Selena Larson: [00:24:08] Yes, definitely. Thank you for picking up on that. You know, it is really important to us at Dragos to combat this idea of fear, uncertainty, and doubt. The infosec community calls it "FUD," right? This idea of, oh, the sky is falling, when anything happens. The threats are real. The threats are very serious. Certainly, the things that we have seen adversaries capable of doing both in the Middle East and Ukraine is very concerning. We are seeing an interest – and uptick in interest in industrial companies in the industrial space. But yes, this message of don't panic, really getting the lay of the land here, really talking about the activity that we're seeing, right? So, for the most part, our adversaries that we're observing don't necessarily have an ICS-specific capability like we have seen with XENOTIME and ELECTRUM.
Selena Larson: [00:24:57] And also this idea that, you know, there are really good people who work in the space, who are doing really good work and hyper-focused on protecting our critical infrastructure, protecting electric utilities here in North America. You know, like I said, the threats are not just coming from a cyber place. They're also coming from a physical space as well. And there are a ton of people doing really good work to make sure that we are resilient, that we can respond to these things, that we have processes in place to be able to defend ourselves from whatever the threats may be.
Dave Bittner: [00:25:28] That's Selena Larson from Dragos. The report is titled, "The North American Electric Cyber Threat Perspective." We'll have a link in the show notes.
Dave Bittner: [00:25:40] Thanks to Juniper Networks for sponsoring our show, you can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:25:48] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:25:56] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.