# RASPITE | Dragos **dragos.com/blog/20180802Raspite.html** Threat Activity Group ## RASPITE Since 2017 May 30, 2020 Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. ----- Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITEcontrolled infrastructure, allowing the adversary to remotely access the victim machine. RASPITE overlaps significantly with Symantec’s LEAFMINER, which recently released a report on the group’s activity in the Middle East. RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector. Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date. This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine. While the group has not yet demonstrated an ICS capability, RASPITE’s recent targeting focus and methodology are clear indicators of necessary activity for initial intrusion operations into an IT network to prepare the way for later potential ICS events. _Dragos threat intelligence leverages the Dragos Platform, our threat operations center, and_ _other sources to provide comprehensive insight into threats affecting industrial control_ _security and safety worldwide. Dragos does not corroborate nor conduct political attribution_ _to threat activity. Dragos instead focuses on threat behaviors and appropriate detection and_ _response._ _[Read more about Dragos’ approach to categorizing threat activity and attribution.](https://www.dragos.com/blog/industry-news/threat-analytics-and-activity-groups/)_ _Dragos does not publicly describe ICS activity group technical details except in_ _extraordinary circumstances in order to limit tradecraft proliferation. However, full details on_ _RASPITE and other group tools, techniques, procedures, and infrastructure is available to_ _[network defenders via Dragos WorldView.](https://www.dragos.com/worldview)_ ### Contact Us For a Demo [Contact Us](https://dragos.com/contact) -----