Iranian hackers hit Bahrain oil company, target US power utilities

Iranian hackers have successfully hit Bahrain’s national oil company as a new report has found that Iranian state-sponsored hackers have also been targeting U.S. power utilities.

The attack in Bahrain targeted oil company Bapco Dec. 29 and is said to have involved the use of the new strain of data-wiping malware. Dubbed “Dustman” by the Saudi Arabia National Cybersecurity Authority, the malware, designed to delete data on an infected computer was quickly detected with only minor disruptions on Bapco’s network.

“This attack could have been much worse, and while we don’t know all the details, I’m willing to be that Bapco had planned out their response before this incident occurred.” Roger A. Grimes, data-driven defense evangelist at security training company KnowBe4 Inc. told SiliconANGLE.  “The lack of utter devastation this time around should be counted as a major computer defense success. ”

“The 2012 Disttrack attack against Saudi Aramco, which devastated that company and put all of Saudi Arabia on its heels for half a year, led to the better successful defense of Bahrain,” Grimes explained. “The Saudi Aramco attack changed everything for that part of the world. Before the Saudi Aramco attack, Middle East computer security was worse than poor. It was almost non-existent. But losing 32,000 computers, servers and workstations, in one of the world’s first nation-state attacks and the shutting down of the number one wealth producer for the country has a way of creating focus.”

While details of the Dustman attack were first published, a separate report from cybersecurity report Dragos Inc. has detailed the activities of an Iranian hacking group it calls Magnallium, also known as APT33 in targeting U.S. power companies.

The report says that the group has been undertaking a broad campaign of password-spraying attacks against U.S. firms since the beginning of 2019. Password-spraying attacks are attacks that attempt to access accounts with a few commonly used passwords. Wired reports that another Iranian group called Parasite has also been working with Magnallium by attempting to exploit vulnerabilities in virtual private networking software.

Dragos did not say whether any of the attacks were successful.

Jason Kent, hacker in residence at application security firm Cequence Security Inc. noted that “these groups are looking for ways to cause the greatest amount of disruption with the least amount of effort possible. Because our electrical grid and gas systems are largely run by regional monopolies, the attackers cannot focus on one target. This can be a protective measure so long as each of these organizations has tightened security to the NERC-CIP standards that govern the security of the grid.”

“As we all know, compliance to security standards often has certain holes and can allow for an attacker to gain access,” Kent added. “These holes are what they are counting on. Once in, deleting files or causing damage to networks, has been their goal. Hopefully, they won’t move on to more sophisticated attacks targeting the destruction of sensitive systems like our nuclear power generation systems.”

Rosa Smothers, senior vice president of cyber operations at KnowBe4 said that “it’s widely known that APTs 33 and 34 are associated with Iranian state-sponsored hackers. The U.S. government has repeatedly warned the private sector about Iranian cybersecurity threats, specifically regarding their go-to access methods – phishing attacks and password spraying.”

‘No one should be surprised by this, and something as basic as rejecting frequently used or known breached passwords are an easy security problem to resolve,” Smothers concluded. “Given the continued threat notifications by the U.S. Government and others, this should’ve been addressed and remediated long before now. The solution to these attacks is simple: reject commonly used or breached passwords and train users to spot phishing attacks and you’re ahead of the Iran-based CNA curve.”

Photo: ShashiBellamkonda/Wikimedia Commons

Comments are closed.