CLICK TO SHARE
For all the nation-state hacker groups that have targeted the United States power grid—and even successfully breached American electric utilities—only the Russian military intelligence group known as Sandworm has been brazen enough to trigger actual blackouts, shutting the lights off in Ukraine in 2015 and 2016. Now one grid-focused security firm is warning that a group with ties to Sandworm’s uniquely dangerous hackers has also been actively targeting the US energy system for years.
On Wednesday, industrial cybersecurity firm Dragos published its annual report on the state of industrial control systems security, which names four new foreign hacker groups focused on those critical infrastructure systems. Three of those newly named groups have targeted industrial control systems in the US, according to Dragos. But most noteworthy, perhaps, is a group that Dragos calls Kamacite, which the security firm describes as having worked in cooperation with the GRU's Sandworm. Kamacite has in the past served as Sandworm's "access" team, the Dragos researchers write, focused on gaining a foothold in a target network before handing off that access to a different group of Sandworm hackers, who have then sometimes carried out disruptive effects. Dragos says Kamacite has repeatedly targeted US electric utilities, oil and gas, and other industrial firms since as early as 2017.
"They are continuously operating against US electric entities to try to maintain some semblance of persistence" inside their IT networks, says Dragos vice president of threat intelligence and former NSA analyst Sergio Caltagirone. In a handful of cases over those four years, Caltagirone says, the group's attempts to breach those US targets' networks have been successful, leading to access to those utilities that's been intermittent, if not quite persistent.
Caltagirone says Dragos has only confirmed successful Kamacite breaches of US networks prior, however, and has never seen those intrusions in the US lead to disruptive payloads. But because Kamacite's history includes working as part of Sandworm's operations that triggered blackouts in Ukraine not once, but twice—turning off the power to a quarter million Ukrainians in late 2015 and then to a fraction of the capital of Kyiv in late 2016—its targeting of the US grid should raise alarms. "If you see Kamacite in an industrial network or targeting industrial entities, you clearly can't be confident they're just gathering information. You have to assume something else follows," Caltagirone says. "Kamacite is dangerous to industrial control facilities because when they attack them, they have a connection to entities who know how to do destructive operations."
Dragos ties Kamacite to electric grid intrusions not just in the US, but also to European targets well beyond the well-publicized attacks in Ukraine. That includes a hacking campaign against Germany's electric sector in 2017. Caltagirone adds that there have been "a couple of successful intrusions between 2017 and 2018 by Kamacite of industrial environments in Western Europe."
If you don't see any comments yet, congrats! You get first comment. Be nice and have fun.
CLICK TO SHARE