Together, in other words, the groups that Dragos calls Kamacite and Electrum make up what other researchers and government agencies collectively call Sandworm. “One group comes in, the other knows what to do when they come in,” Caltagirone says. “And when they operate separately, which we also watch them do, we clearly see that neither is very good at the other’s job.”
When WIRED contacted other threat intelligence firms, including FireEye and CrowdStrike, none could confirm seeing a Sandworm-related intrusion campaign targeting U.S. utilities, as reported by Dragos. But FireEye has already confirmed seeing a large targeted intrusion campaign in the United States linked to another GRU group known as APT28 or Fancy Bear, which WIRED revealed last year after receiving an FBI notification email sent to the targets of this campaign. Dragos pointed out at the time that the APT28 campaign shared command and control infrastructure with another attempted intrusion that targeted a US “energy entity” in 2019, according to a US Department of Energy notice. Given that APT28 and Sandworm have worked hand in hand in the past, Dragos is now pinning 2019 energy sector targeting on Kamacite as part of its biggest multi-year targeted hacking frenzy in the United States.
The Dragos report goes on to name two other new groups targeting US industrial control systems. The first, which he calls Vanadinite, appears to have ties to the large group of Chinese pirates known as Winnti. Dragos blames Vanadinite for attacks that used ransomware known as ColdLock to disrupt victimized Taiwanese organizations, including state-owned energy companies. But it also indicates that Vanadinite is targeting energy, manufacturing and transportation targets around the world, including Europe, North America and Australia, in some cases by exploiting VPN vulnerabilities.
The newly named second group, which Dragos calls Talonite, appear to have also targeted North American electric utilities, using spear phishing emails containing malware. He has no clear ties to previously known hacker groups. Yet another group that Dragos dubbed Stibnite has targeted Azerbaijani power utilities and wind farms using phishing websites and malicious email attachments, but has not reached the United States as far as they know. the security company.
While none of the ever-growing list of hacker groups targeting industrial control systems across the globe appear to have used these control systems to trigger real disruptive effects in 2020, Dragos warns that the sheer number of such groups represents a disturbing trend. Caltagirone points to a rare but relatively raw intrusion targeting a small water treatment plant in Oldsmar, Florida earlier this month, in which an as-yet-unidentified hacker attempted to dramatically increase the levels of caustic lye in the city’s water by 15,000 people. Given the lack of protection on these types of small infrastructure targets, a group like Kamacite, Caltagirone argues, could easily trigger widespread harmful effects, even without the industrial control system expertise of a partner group like Electrum.
This means that increasing the number of groups, even relatively unskilled ones, poses a real threat, Caltagirone says. The number of groups targeting industrial control systems has been steadily increasing, he adds, since Stuxnet showed at the start of the last decade that industrial piracy with physical effects is possible. “A lot of groups are appearing, and not many are leaving,” Caltagirone says. “In three or four years, I have a feeling that we are going to reach a peak, and it will be an absolute disaster.”
More WIRED stories