Allanite threat actor focused on critical infrastructure is targeting electric utilities and ICS networks

Security experts from the industrial cybersecurity firm Dragos warn of a threat actor tracked as Allanite has been targeting business and industrial control networks at electric utilities in the United States and the United Kingdom.

Dragos experts linked the campaigns conducted by the Dragonfly APT group and Dymalloy APT, aka Energetic Bear and Crouching Yeti, to a threat actors they tracked as ‘Allanite.’

Allanite has been active at least since May 2017 and it is still targeting both business and ICS networks at electric utilities in the US and UK.

Experts believe the APT group is conducting reconnaissance and gathering intelligence for later attacks.

For those that are unaware of Dymalloy APT, the threat actor was discovered by Dragos researchers while investigating the Dragonfly’s operations. The Dragonfly APT group is allegedly linked to Russian intelligence and it is believed to be responsible for the Havex malware.

According to the researchers, the TA17-293A alert published by the DHS in October 2017 suggests a link between Dragonfly attacks with Allanite operations

Dragos experts highlighted that Allanite operations present similarities with the Palmetto Fusion campaign associated with Dragonfly by the DHS in July 2017.

At the same time, the experts believe the threat actor is different from Dragonfly and Dymalloy.

Like Dragonfly and Dymalloy, Allanite hackers leverage spear phishing and watering hole attacks, but differently from them, they don’t use any malware.

Is Allanite a Russia-linked threat actor?

Many security experts linked the APT group to Russia, but Dragos researchers did not corroborate the same thesis.

According to the Dragos, the hackers harvest information directly from ICS networks in campaigns conducted in 2017.

At the time the group has never hacked into a system to cause any disruption or damage.

The report published by Dragos on the Allanite APT is the first analysis of a collection of related to threat groups targeting critical infrastructure.

Summary info on threat actors will be made available through an Activity Groups dashboard, but users interested in the full technical report need to pay it.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  SCADA,  APT)

[adrotate banner=”5″]

[adrotate banner=”13″]