The hacking group Allanite has been found to be targeting business and industrial control system (ICS) networks at electric utilities in the United States and United Kingdom.
According to the industrial cybersecurity firm Dragos, the threat actor Allanite has been active since May 2017 at least, and is still currently active – conducting reconnaissance operations in order to gather intelligence for likely use in future attack efforts.
Researchers from Dragos have tied Allanite to campaigns run by the Dragonfly APT group (aka Energetic Bear and Crouching Yeti), a cyberespionage group operating out of Russia, and Dymalloy, a hacking group whose attacks Dragos detected while investigating Dragonfly.
Dragos observed Dragonfly targeting the control systems of U.S. energy firms using its sophisticated Havex malware. Dymalloy (which does not appear to be directly connected to Dragonfly) has been able to breach ICS organizations in the U.S., Europe and Turkey, allowing the APT actor to gain access to HMI devices.
The Department of Homeland Security (DHS) and FBI published a technical alert, TA17-293A on Dragonfly in October 2017, warning that government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors were the targets of an ongoing attack campaign by the group. Dragos now say that those attacks combined Dragonfly tactics with Allanite activity.
The firm also noted that Allanite’s operations bear similarities to the Palmetto Fusion campaign conducted by Dragonfly, which the DHS highlighted in July 2017.
Similarly to Dragonfly and Dymalloy, Allanite hackers deploy spear phishing and watering hole attacks. The Dragos experts believe that the Allanite threat actor is different from Dragonfly and/or Dymalloy for a number of reasons, however, for instance, they do not deploy malware. So far, they have not hacked into a system to explicitly cause disruption or damage; rather, the hackers have been harvesting information directly from ICS networks.
Other Allanite capabilities include Powershell scripts, THC Hydra, SecreetsDump, Inveigh and PSExec.
Other security experts have linked Allanite to Russia; however, Dragos has not done so.
The report on Allanite is the first in a series from Dragos about different Adversary Groups.
“By collecting and analyzing cyber intrusions or attempts to compromise ICS networks, we have created profiles of the known groups targeting ICS environments”, said Dragos. “Dragos does not attribute behaviors to individuals or nation-states. Instead, we focus not on who but on how they operate. This allows Dragos to create robust analytics that provide comprehensive data around actions, capabilities, and intentions which defenders can use in creating defensive plans.”