ELECTRUM, ERYTHRITE & WASSONITE – 2022 update
Continuing last week’s entry on the update on operations of the most noticeable Active Threat players from Dragos’ Year in Review Report 2022, today’s article is dedicated to ELECTRUM, ERYTHRITE, WASSONITE
ELECTRUM associated with SANDWORM APT is responsible for the first reported Ukrainian power outage incident of 2015 when on the 23rd of December the power grid in two areas of West Ukraine managed by three energy distribution companies was put out of operation. This resulted in power outages for roughly 230000 consumers in Ukraine for a period between 1 to 6 hours.
The attack was a sophisticated multilevel operation that started with a spear-phishing campaign email containing the BlackEnergy 3 malware.
Once the environment was compromised control over the SCADA systems responsible for the substations was taken over allowing for a remote switching off of those substations.
Further, the KillDisk malware was deployed to destroy files stored on servers and workstations. This was accompanied by a DOS attack on the call-centre disabling consumers from being able to get through to get any information about the blackout.
Just before midnight, on 17th December 2016, the Ukrainian power grid experienced its second attack, which resulted in a power outage in Kyiv, leaving a quarter million Ukrainians in the dark. This incident was quite significant as it caused a blackout in parts of the city for about an hour. According to Dragos’s assessment, the attack used INDUSTROYER (aka CRASHOVERRIDE)
In 2022 ELECTRUM was still active and continuously enhancing and adapting its capabilities to target electric grid operations.
According to the Slovakian cyber security company ESET, a Ukrainian utility provider had been targeted with multiple malware capabilities. After conducting an assessment, Dragos determined with moderate confidence that ELECTRUM was the threat group responsible for this attack, which marked the third time ELECTRUM had targeted a Ukrainian utility provider.
During the April 2022 incident, ELECTRUM utilised INDUSTROYER2 malware along with a set of wiper malware. The wiper malware was deployed to erase any traces of ELECTRUM’s involvement in the attack. In contrast to CRASHOVERRIDE, which had several elements, INDUSTROYER2, solely relies on the International Electrotechnical Commission (IEC) IEC-104 protocol for communicating with its targets in industrial equipment.
According to Dragos, ELECTRUM is expected to persist in its targeting of electric utilities in Ukraine. Additionally, due to the presence of similar equipment and protocols in other electric environments, ELECTRUM possesses the capability to target electric entities outside of Ukraine as well.
According to Dragos, ERYTHRITE started its malicious activities in May 2020.
The OT environments of a Fortune 500 company and the IT networks of significant players in various industries, including electrical utilities, food and beverage companies, automobile manufacturers, IT service providers, and multiple Oil and Natural Gas (ONG) service firms, have all fallen victim to ERYTHRITE’s compromise. Additionally, ERYTHRITE has targeted an electronic agreement and document signature management company with a massive user base of hundreds of millions worldwide.
Although ERYTHRITE hasn’t exhibited any specific capabilities targeting ICS (Industrial Control Systems), it still poses an ongoing and dynamic threat to industrial organisations, primarily due to the magnitude of its operations, its emphasis on stealing data and credentials during post-compromise activities, and its association with the wider cybercriminal network. ERYTHRITE represents a significant hazard for organisations that have weak ICS/OT network segmentation and poor network visibility, making them more susceptible to attack.
Throughout 2022, ERYTHRITE persisted in infiltrating various industrial organisations in North America, utilising its flexible search engine optimisation (SEO) poisoning and custom, swiftly evolving malware. ERYTHRITE consistently demonstrated its proficiency in generating and deploying malware and infrastructure at a large scale.
WASSONITE has been active since at least 2018 and was linked by Dragos to the malware intrusion at the Kudankulam Nuclear Power Plant (KKNPP) nuclear facility in India.
WASSONITE has directed its focus towards industrial control systems (ICS) entities operating in the nuclear energy, electric, oil and gas, advanced manufacturing, pharmaceutical, and aerospace sectors, primarily in South and East Asia, and with some additional targets in North America. WASSONITE’s operations have consistently demonstrated their capacity to carry out initial Stage 1 activities outlined in the ICS Cyber Kill Chain.
In late 2022, Dragos investigated WASSONITE’s utilisation of nuclear energy-themed spear phishing baits written in the Korean alphabet, aimed at delivering the AppleSeed backdoor. This backdoor consists of multiple components and can capture screenshots, log keystrokes, and gather information on removable media and specific files belonging to the victim. It also has the ability to upload, download, and execute subsequent commands received from a command and control (C2) server.
The spear phishing lures employed by WASSONITE, with content and titles precisely tailored to nuclear energy in East Asia, align with their persistent, longstanding pursuit of targeting organisations operating in this industry.
WASSONITE relies on spear phishing lures, customised for particular industries and organisations, as their primary means of infection. Additionally, their malware variants exhibit specific modifications tailored for individual environments, such as hard-coded credentials, non-public IP addresses, and uncommon application ports, all of which are highly targeted.
Dragos is fairly certain that WASSONITE will persist in targeting ICS entities operating in the nuclear energy, electric, oil and gas, advanced manufacturing, pharmaceutical, and aerospace industries, primarily in East Asia, South Asia, and North America.