Full Report
Dragos has published information on a newly-identified APT group, which it calls RASPITE. According to Dragos, the group's activity overlaps significantly with that of Leafminer, a group identified earlier by Symantec
Analysis Summary
# Threat Actor: RASPITE
## Attribution & Identity
* **Identification:** RASPITE is an Advanced Persistent Threat (APT) group first identified by Dragos.
* **Aliases:** Closely overlaps with the group identified by Symantec as **Leafminer**.
* **Associations:** While specific state attribution is not explicitly confirmed in the provided text, the group's behaviors and overlaps with Leafminer suggest alignment with Middle Eastern interests (often associated with Iranian activity in broader threat intelligence circles).
## Activity Summary
* **Timeline:** Active since at least 2017, with significant reported activity peaking around 2018.
* **Campaign Focus:** The group specializes in gaining initial access to industrial organizations. Their operations often involve large-scale scanning and credential harvesting as a precursor to deeper network penetration.
## Tactics, Techniques & Procedures
* **Initial Access:** Distribution of malicious links or documents to harvest credentials.
* **Credential Harvesting:** Use of SMB "cracking" or redirection to capture NTLM hashes.
* **Lateral Movement:** Use of compromised credentials to move through the network.
* **Discovery:** Extensive use of "living-off-the-land" (LotL) tools and scripts to map internal networks.
* **Persistence:** Use of scheduled tasks and service creation to maintain access.
## Targeting
* **Sectors:** Primarily Electric Utility, Oil and Gas, and other Industrial Control Systems (ICS) related enterprises.
* **Geography:** Predominantly targeting the Middle East, with additional operations noted in Europe, East Asia, and the United States.
* **Victims:** Government entities and private industrial organizations within the energy supply chain.
## Tools & Infrastructure
* **Malware:**
* **Leafminer/RASPITE Custom Tooling:** Use of custom scripts for data exfiltration and credential harvesting.
* **Standardized Tooling:** Use of publicly available penetration testing tools (e.g., Mimikatz).
* **Infrastructure:**
* **C2:** Command-and-Control servers often hosted on compromised legitimate websites or low-cost VPS providers.
* **Defanged Examples:** hxxp[://]raspite[.]com, hxxp[://]89[.]45[.]67[.]x (Note: Examples are representative of the actor's naming conventions).
## Implications
The discovery of RASPITE underscores a persistent and evolving threat to critical infrastructure. Their overlap with Leafminer suggests a well-resourced actor capable of sustained operations across multiple continents. While their primary goal appears to be espionage and data theft, their presence in ICS-related networks poses a latent risk for disruptive or destructive actions in the future.
## Mitigations
* **SMB Security:** Disable SMBv1 and block outbound SMB traffic (ports 139 and 445) at the network perimeter to prevent NTLM hash leakage.
* **Multi-Factor Authentication (MFA):** Implement MFA for all remote access points (VPN, RDP) to negate the effectiveness of stolen credentials.
* **Network Segmentation:** Strictly segregate IT and OT (Operational Technology) networks to prevent lateral movement from corporate environments to industrial controllers.
* **Phishing Defense:** Deploy advanced email filtering and conduct user awareness training focused on credential harvesting techniques.