Here's What We Know About the Password Spraying Attacks Conducted by Iranian Hackers
The escalating tension between Iran and the US is understandably front-page news. The situation is extremely complex, and nobody is really sure what's going to happen next. For now, things are relatively peaceful, but we all know that certain fingers could very well be hovering over certain red buttons, and we can only hope that common sense will prevail in the end. It must be said, however, that while the real-world tension might ease, online, the exchange of attacks between Iran and the USA is unlikely to stop any time soon.
Yesterday, Dragos Inc., a cybersecurity outfit that focuses on the protection of industrial control systems (ICS), published a report which details the activities of eleven Iran-linked hacking groups, and, more specifically, their attacks against the US' electrical grid. It shows that although they tend not to attract too much media attention, nation-backed threat actors attack other countries' ICS assets all the time.
Despite this, it must be said that the real-world disagreements between Iran and America have had an impact on the threat actors' activities. The eleven hacking groups discussed in Dragos' report are known for attacking ICS systems all around the world, but the experts noted that last year, most of them pointed their sights at the US and the critical infrastructure for generating and distributing electricity.
No serious disruption as yet
According to the report, the first known malware attack that caused a blackout happened in December 2015 in Ukraine, and fortunately, there's little evidence to suggest that the Iranian crews Dragos monitors are mounting the second one. The groups have indeed managed to infiltrate the networks of companies responsible for supplying electricity, and they have siphoned off some sensitive data. At this point, however, they have yet to come close to achieving the level of access that would allow them to disrupt the supply of electricity for a large number of households. This doesn't mean that it can never happen, though.
Bear in mind that we're not talking about self-taught cybercriminals with a penchant for hoodies and Guy Fawkes masks. Often referred to Advanced Persistent Threats (APTs), state-sponsored hacking crews consist of experienced specialists that have next to unlimited resources to compromise their targets. Dragos' experts noted that successfully hitting a vital section of the American electrical grid is going to be extremely difficult, but the resumes of the Iranian APT groups discussed in the report suggest that they could very well be in with a shout.
They have made a name for themselves by attacking large organizations all around the world, and most of their previous targets are working in the oil and gas industry – another vital part of the world's economy that spends significant amounts of cash on security. The threat actors are known for their use of supply chain attacks to infiltrate a network, and once they're inside, they often deploy custom-developed tools designed specifically for the targeted ICS system. Sometimes, however, it's not all about cutting-edge sophistication.
Password spraying and unpatched VPNs can sometimes leave critical infrastructure exposed
Wired's Andy Greenberg also covered Dragos' report, and he focused on the activities of two of the APTs – Magnallium and Parisite. Throughout 2019, the two crews worked in tandem to attack various electric utility and oil and gas companies in the US.
To achieve their goal, the members of the Parisite group exploited vulnerabilities in an unnamed Virtual Private Network (VPN) client used by their targets. Magnallium, on the other hand, resorted to password spraying. In a password spraying attack, the hackers take the email address of a user (in this case, an employee of an electric utility company) and use it in combination with a selection of simple and easy-to-guess passwords to try and log into the targeted system. Because so many people use simple, easy-to-guess passwords, some of the attempts are successful.
What is interesting about this is that you don't need to be a sophisticated, state-sponsored hacker to exploit a vulnerable VPN or organize a password spraying attack. In fact, these techniques are pretty noisy, and they're usually reserved for the hoodie-wearing Guy Fawkes impersonators. Yet, Parisite and Magnallium, two APTs with lots of cash and resources, have decided to use them. Why would they do that?
Because they think that these attacks will be successful. This is a worrying thought.
Unless we're talking about a zero-day vulnerability, exploiting an insecure VPN means that the user has either misconfigured the network or neglected a security update. And as for password spraying, as we mentioned already, it's only possible because guessing people's passwords is not as difficult as it should be. In other words, the Iranian APTs are betting on people making simple security mistakes. The people in question are responsible for vital parts of the US' power grid.
This should set off some alarm bells for those in charge of organizations that are likely to be attacked. Quite a lot is at stake, and security (both physical and online) must be a priority. Stopping the relentless attacks from nation-backed hackers is unlikely, but the people responsible for the US' electrical grid can at least get rid of the low-hanging fruit.