Cyber Incident Victim: American Electric Utilities
Date:
Jan 2019
Location:
United States of America
Summary
Iranian state-sponsored hacking groups Magnallium (also known as APT33) and Parisite conducted sustained cyber intrusion attempts against a US electric utility and other critical infrastructure entities. The groups employed password-spraying attacks targeting numerous accounts and exploited vulnerabilities in VPN software throughout an extended campaign. While these activities demonstrated persistent efforts to establish network access, investigators found no evidence of capability to compromise physical grid control systems or cause operational disruptions like blackouts. The threat actors historically leveraged similar access for destructive cyberattacks elsewhere, including deploying wiper malware to erase organizational data and cripple business operations, raising concerns about potential follow-on actions against compromised systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
Between January and December 2019, state-sponsored Iranian hacking groups Magnallium (also known as APT33, Refined Kitten, or Elfin) and Parisite conducted sustained cyber operations targeting US electric utilities and oil and gas companies. Dragos, an industrial control system security firm, observed Magnallium executing widespread password-spraying attacks against these entities, systematically testing common passwords across numerous accounts to gain unauthorized access. Concurrently, Parisite attempted to exploit vulnerabilities in virtual private networking (VPN) software used by the same critical infrastructure organizations, with both groups coordinating their activities throughout the year. The campaign extended beyond electric utilities to include oil and gas infrastructure, though electric grid operators represented a primary focus. Security researchers identified VPN products from Pulse Secure, Fortinet, and Palo Alto Networks as potential exploitation targets based on separate reporting about Iranian hackers compromising Bahrain's national oil firm using similar vulnerabilities. Dragos confirmed the attackers' persistent efforts but did not verify successful breaches into operational technology systems controlling physical grid equipment.
The observed activities demonstrated reconnaissance and access acquisition objectives rather than immediate disruptive capabilities. While Iranian actors historically breached US electric utilities to establish attack footholds, Dragos found no evidence that Magnallium or Parisite developed tools to manipulate industrial control systems (ICS) like circuit breakers or induce blackouts. However, FireEye intelligence indicated APT33 had previously deployed destructive wiper malware against Middle Eastern targets, suggesting compromised utility IT networks could face data destruction attacks disrupting business operations. The US Department of Energy’s former incident response lead noted the campaign’s broad scope enabled rapid, low-cost accumulation of network access points for potential future exploitation. Dragos emphasized the threat stemmed from possible pre-existing compromises rather than new post-assassination operations following the January 2020 killing of Iranian general Qasem Soleimani. Infrastructure operators were advised to audit systems for signs of historical intrusion given the prolonged attack timeline and evolving US-Iran tensions throughout 2019.