The Iran-linked APT group RASPITE is targeting US, Middle East, Europe, and East Asia

According to Security affairs, industrial network security company Dragos researchers report that a network espionage organization (also known as Leafminer), operating outside of Iran, called RASPITE, has been targeting facilities in the United States, Europe, the Middle East and East Asia. The organization has been active since at least 2017, and researchers have discovered attacks on the Middle East government and other types of organizations.

Last week, Symantec researchers released a detailed report on the activities of the cyber-spy team based on the tracking of the Leafminer organization. The researchers said the organization’s attack could be more extensive and they found a case in Iran. A list of 809 targets written in Persian. The list is grouped according to their interest in the region and industry, targeting the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan. The systems for these targets have been scanned by attackers.

Cybercrime activity

Now Dragos researchers have confirmed that it is RASPITE that has been targeting industrial control systems, and hackers have also visited the US power sector.

Hackers use hacked websites to conduct puddle attacks to provide potential victims with the content of interest. The RASPITE attack looks similar to attacks like DYMALLOY and ALLANITE, where hackers collect Windows credentials by injecting a website link to prompt for SMB connections. The attacker then deploys a script to install malware that connects to C&C ads and then lets the attacker take control of the infected computer.

According to Dragos, even though RASPITE is primarily targeted at ICS systems, there is no news that such devices are subject to devastating attacks.

RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector. Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date.” continues Dragos.

This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine.”