A new report from cybersecurity firm Dragos warns that electric utilities around the world “remain at risk for a disruptive — or potentially destructive — cyberattack,” with a growing number of events targeting the electric industry, along with risks from supply chain vulnerabilities and ransomware attacks.

However, the report also notes that regulations surrounding electric utilities in developed countries are generally strong enough to “ensure a minimum level of security” and that the electric industry “leads other industrial sectors in security investments” in most of the world.

Dragos’ report covers the global threat landscape through June 2021, mainly highlighting threats to the security of utilities’ industrial control systems (ICS), which it called “high and increasing, led by numerous intrusions for reconnaissance and information gathering purposes.” The firm reported that it identified four new activity groups (AGs) in 2020, three of which — dubbed Talonite, Kamacite and Stibnite in the document — have been observed to target electric utilities.

New Groups Cover Range of Targets

Of the new groups, only Talonite directly targets the U.S. electric sector, focusing on “information gathering operations” that it carries out through “spearphishing techniques with malicious documents or embedded executables.” The group’s tendency to use multiple techniques and tactics in its intrusions makes it difficult to track and contain. Dragos noted that while it cannot definitively link Talonite with any other threats, there is “behavioral overlap” with the Chinese state-sponsored hacking group APT10.

Kamacite only arrived on Dragos’ radar last year, but the group has been active for over half a decade. It participated in the 2015 and 2016 attacks on Ukraine’s power grid, as well as “the persistent campaign targeting U.S. energy companies from late 2019 to mid 2020”; earlier this year federal security officials attributed all three attacks to Russian military intelligence, though Dragos does not link any of the AGs to specific state actors. (See Feds: Russia Behind Years of Hacking Attempts.)

The Kamacite group itself does not have ICS-targeting capabilities; Dragos says its role is “enabling the access for the teams that do,” including Electrum, Dragos’ name for the group that carried out the Ukraine power grid attacks. Kamacite uses “a combination of phishing with malicious attachments and external access via legitimate services … to gain initial access to victim organizations,” followed by a transfer of “operational control” to another entity to execute the ICS disruption.

The last of the new AGs, Stibnite, so far seems to be primarily focused on Azerbaijan, where it “launched multiple intrusion operations” against wind power plants and government entities in late 2019 and 2020. After gaining access to target networks through spearphishing campaigns, Stibnite uploads a custom malware called PoetRAT, apparently designed to steal sensitive documents.

Dragos calls this malware “part of a complete stage 1 operation” of the ICS cyber kill chain, a model of ICS attacks adapted from Lockheed Martin’s cyber kill chain framework. A 2015 white paper from SANS Institute describes stage 1 of such an attack as “espionage or an intelligence operation.” In keeping with this assessment, Dragos says Stibnite currently shows “no indication of disruptive or damaging capability or intent.”

Threats to Multiple Grid Segments

Along with identifying active threat groups, Dragos’ report includes an assessment of the threat landscape for electric power generation, transmission and distribution.

Under generation, the report notes that at least five AGs that have shown “the intent or capability” to access ICS networks of generation facilities: Xenotime, Dymalloy, Allanite, Stibnite and Wassonite. Of these, Xenotime, active since 2014, is “easily the most dangerous threat activity publicly known”: Dragos blames the group for the disruption of oil and gas facilities in Saudi Arabia in 2017, along with unspecified attacks against electric utilities in North America and the Asia Pacific region, and oil and gas companies in Europe, the U.S., Australia and the Middle East.

The other four AGs have shown no intent to disrupt or damage generation facilities, and Dragos points out there have apparently been no successful such attacks. However, the espionage activities that have been observed could serve to facilitate disruptive activities.

Kamacite and Electrum qualify as a combined threat to transmission operations, as Kamacite operates as an “initial access and facilitation group” for Electrum. While the activities of the two occurred in Europe, Dragos says the tactics could be modified to fit utilities in other parts of the world.

Kamacite is cited alone as a threat to distribution for having “enabled the first widespread outage caused by a cyberattack” in Ukraine in December 2015. The group used “existing tools in the operations environment” to shut down power to around 230,000 people for several hours — essentially taking over the utilities’ own controls rather than installing ICS-targeting malware as Electrum does.

Ransomware Could Target ICS Software

Dragos’ paper also discusses the “significant rise in the number of nonpublic and public ransomware events” affecting ICS environments, particularly in the electric sector. According to Dragos, 10% of the ransomware attacks against industrial and related entities between 2018 and 2020 targeted electric utilities, more than any other industry except manufacturing.

Several of the ransomware strains found in these attacks included “ICS-aware functionality,” meaning that they were programmed to look for ICS processes in whatever environments they might be loaded into. Such software “can have disruptive impacts on operations if it is able to bridge the [information technology]/[operational technology] gap due to improper security hygiene,” Dragos warns.