For all the nation-state hacker groups that have targeted the United States power grid—and even successfully breached American electric utilities—only the Russian military intelligence group known as Sandworm has been brazen enough to trigger actual blackouts, shutting the lights off in Ukraine in 2015 and 2016. Now one grid-focused security firm is warning that a group with ties to Sandworm’s uniquely dangerous hackers has also been actively targeting the US energy system for years.
On Wednesday, industrial cybersecurity firm Dragos published its annual report on the state of industrial control systems security, which names four new foreign hacker groups focused on those critical infrastructure systems. Three of those newly named groups have targeted industrial control systems in the US, according to Dragos. But most noteworthy, perhaps, is a group that Dragos calls Kamacite, which the security firm describes as having worked in cooperation with the GRU’s Sandworm. Kamacite has in the past served as Sandworm’s “access” team, the Dragos researchers write, focused on gaining a foothold in a target network before handing off that access to a different group of Sandworm hackers, who have then sometimes carried out disruptive effects. Dragos says Kamacite has repeatedly targeted US electric utilities, oil and gas, and other industrial firms since as early as 2017.
“They are continuously operating against US electric entities to try to maintain some semblance of persistence” inside their IT networks, says Dragos vice president of threat intelligence and former NSA analyst Sergio Caltagirone. In a handful of cases over those four years, Caltagirone says, the group’s attempts to breach those US targets’ networks have been successful, leading to access to those utilities that’s been intermittent, if not quite persistent.
Caltagirone says Dragos has only confirmed successful Kamacite breaches of US networks prior, however, and has never seen those intrusions in the US lead to disruptive payloads. But because Kamacite’s history includes working as part of Sandworm’s operations that triggered blackouts in Ukraine not once, but twice—turning off the power to a quarter million Ukrainians in late 2015 and then to a fraction of the capital of Kyiv in late 2016—its targeting of the US grid should raise alarms. “If you see Kamacite in an industrial network or targeting industrial entities, you clearly can’t be confident they’re just gathering information. You have to assume something else follows,” Caltagirone says. “Kamacite is dangerous to industrial control facilities because when they attack them, they have a connection to entities who know how to do destructive operations.”
Dragos ties Kamacite to electric grid intrusions not just in the US, but also to European targets well beyond the well-publicized attacks in Ukraine. That includes a hacking campaign against Germany’s electric sector in 2017. Caltagirone adds that there have been “a couple of successful intrusions between 2017 and 2018 by Kamacite of industrial environments in Western Europe.”
Dragos warns that Kamacite’s main intrusion tools have been spear-phishing emails with malware payloads and brute-forcing the cloud-based logins of Microsoft services like Office 365 and Active Directory as well as virtual private networks. Once the group gains an initial foothold, it exploits valid user accounts to maintain access and has used the credential-stealing tool Mimikatz to spread further into victims’ networks.
“One group gets in, the other… knows what to do”
Kamacite’s relationship to the hackers known as Sandworm—which has been identified by the NSA and US Justice Department as Unit 74455 of the GRU—isn’t exactly clear. Threat intelligence companies’ attempts to define distinct hacker groups within shadowy intelligence agencies like the GRU have always been murky. By naming Kamacite as a distinct group, Dragos is seeking to break down Sandworm’s activities differently from others who have publicly reported on it, separating Kamacite as an access-focused team from another Sandworm-related group it calls Electrum. Dragos describes Electrum as an “effects” team, responsible for destructive payloads like the malware known as Crash Override or Industroyer, which triggered the 2016 Kyiv blackout and may have been intended to disable safety systems and destroy grid equipment.
Together, in other words, the groups Dragos call Kamacite and Electrum make up what other researchers and government agencies collectively call Sandworm. “One group gets in, the other group knows what to do when they get in,” says Caltagirone. “And when they operate separately, which we also watch them do, we clearly see that neither is very good at the other’s job.”
When WIRED reached out to other threat-intelligence firms including FireEye and CrowdStrike, none could confirm seeing a Sandworm-related intrusion campaign targeting US utilities as reported by Dragos. But FireEye has previously confirmed seeing a widespread US-targeted intrusion campaign tied to another GRU group known as APT28 or Fancy Bear, which WIRED revealed last year after obtaining an FBI notification email sent to targets of that campaign. Dragos pointed out at the time that the APT28 campaign shared command-and-control infrastructure with another intrusion attempt that had targeted a US “energy entity” in 2019, according to an advisory from the US Department of Energy. Given that APT28 and Sandworm have worked hand-in-hand in the past, Dragos now pins that 2019 energy-sector targeting on Kamacite as part of its larger multiyear US-targeted hacking spree.
Vanadinite and Talonite
Dragos’ report goes on to name two other new groups targeting US industrial control systems. The first, which it calls Vanadinite, appears to be have connections to the broad group of Chinese hackers known as Winnti. Dragos blames Vanadinite for attacks that used the ransomware known as ColdLock to disrupt Taiwanese victim organizations, including state-owned energy firms. But it also points to Vanadinite targeting energy, manufacturing, and transportation targets around the world, including in Europe, North America, and Australia, in some cases by exploiting vulnerabilities in VPNs.
The second newly named group, which Dragos calls Talonite, appears to have targeted North American electric utilities, too, using malware-laced spear-phishing emails. It ties that targeting to previous phishing attempts using malware known as Lookback identified by Proofpoint in 2019. Yet another group Dragos has dubbed Stibnite has targeted Azerbaijani electric utilities and wind farms using phishing websites and malicious email attachments, but it has not hit the US to the security firm’s knowledge.
While none among the ever-growing list of hacker groups targeting industrial control systems around the world appears to have used those control systems to trigger actual disruptive effects in 2020, Dragos warns that the sheer number of those groups represents a disturbing trend. Caltagirone points to a rare but relatively crude intrusion targeting a small water treatment plant in Oldsmar, Florida earlier this month, in which a still-unidentified hacker attempted to vastly increase the levels of caustic lye in the 15,000-person city’s water. Given the lack of protections on those sorts of small infrastructure targets, a group like Kamacite, Caltagirone argues, could easily trigger widespread, harmful effects even without the industrial-control-system expertise of a partner group like Electrum.
That means the rise in even relatively unskilled groups poses a real threat, Caltagirone says. The number of groups targeting industrial control systems has been continually growing, he adds, ever since Stuxnet showed at the beginning of the last decade that industrial hacking with physical effects is possible. “A lot of groups are appearing, and there are not a lot going away,” says Caltagirone. “In three to four years, I feel like we’re going to reach a peak, and it will be an absolute catastrophe.”
This story originally appeared on wired.com.