Back in September 2017, Dragos warned of a new hacking group it named Covellite. It was monitoring phishing attacks by the group that were focused on US electric companies.
Further investigation showed similar attacks in other countries. None of the attacks seemed to deploy malware against ICS systems. However if email recipients opened the phishing email it deployed a remote access trojan (RAT).
In its latest analysis of Covellite, Dragos says that Covellite: “remains active but appears to have abandoned North American targets, with indications of activity in Europe and East Asia. Given the group’s specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry.”
Who is Covellite
Covellite is believed to be a hacking group based in North Korea. This is a claim by other security vendors who have also pointed out comparisons between the techniques and code used by Covellite and other groups.
In Dragos’ March 2018 update around threats to ICS systems, it named Covellite as a group to watch. It said there were: “similarities in both infrastructure and malware with the LAZARUS GROUP APT6 (Novetta), also referred to as ZINC (Microsoft), and HIDDEN COBRA (DHS).”
While there is no evidence yet of Covellite disrupting or attempting to disrupt electricity grids it has been named in other attacks. Those include the Sony Pictures hack and attacks on bitcoin. The latter is a known goal of North Korea hacking teams. This strengthens the argument that Covellite is linked to that country.
Despite the move away from North American targets, Dragos is still warning about Covellite. It says: “Given the group’s specific interest in infrastructure operations, rapidly improving capabilities, and history of aggressive targeting, Dragos considers this group a primary threat to the ICS industry.”
What does this mean
The abandoning of North American targets is extremely interesting. Covellite has been linked by other security vendors to North Korea. As the on/off summit saga between the two countries drags on, it could be hacking groups have been ordered to reduce attacks on the US.
The latter part of the statement is also important. It implies that Covellite has evolved its ICS capabilities. Deploying a RAT for surveillance and access is one thing, malware capable of stopping a power grid is something else. If proven, this is a significant evolution for the hacking group.