RASPITE
Credential capture and LOTL techniques employed for initial access, reconnaissance C2.
THREAT DESCRIPTION
Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE.
Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time.
RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.
RASPITE overlaps significantly with Symantec’s LEAFMINER, which recently released a report on the group’s activity in the Middle East.
RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector. Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date. This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine.
While the group has not yet demonstrated an ICS capability, RASPITE’s recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events.
Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time.
RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.
RASPITE overlaps significantly with Symantec’s LEAFMINER, which recently released a report on the group’s activity in the Middle East.
RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector. Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date. This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine.
While the group has not yet demonstrated an ICS capability, RASPITE’s recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events.
Date: Since 2017
ADVERSARY
- Links to Leafminer
CAPABILITIES
- Service installer malware to beacon out to adversary infrastructure
VICTIM
- Electric Utilities
- US, Europe, Saudi Arabia, Japan
INFRASTRUCTURE
- Spoofs domains for legitimate IT services
- Utilizes RDP communications to controlled C2 servers for remote access
ICS IMPACT
- Operations focus on ICS-related organizations, limited to IT network actions for initial access and information collection
