Suspected Iranian hacking campaign targets European energy companies

Researchers at Recorded Future have linked trojan malware intrusions and espionage to a state-backed hacking operation working out of Iran.
Written by Danny Palmer, Senior Writer

A hacking campaign with suspected ties to Iran has targeted the European energy sector in what's thought to be a reconnaissance mission aimed at gathering sensitive information.

The network intrusion at the energy company has been detailed by researchers at cybersecurity company Recorded Future.

The PupyRAT software used by the attackers is open-source malware and can infiltrate Windows, Linux, OSX and Android to give hackers access to the victim's system, including usernames, passwords and sensitive information across the network.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Despite the open-source nature of the malware, PupyRAT is prominently linked with Iranian state-backed hacking campaigns, particularly by the group known as APT 33, and has previously been deployed in attacks targeting critical infrastructure.

Now researchers have identified the malware as having been used in attacks that took place between November 2019 and January 2020.

The dates mean the campaign started ahead of raised geopolitical tensions in the Middle East following the US airstrike that killed Iranian General Qassem Soleimani.

Researchers haven't been able to identify the exact method of delivery, but think the malware is distributed via spear-phishing attacks. Previous APT 33 campaigns have involved attackers posing as individuals and gaining the trust of potential victims before eventually sending a malicious document.

However, researchers did see high-volume network traffic from the targeted company in the energy sector repeatedly communicating with command-and-control infrastructure associated with previous PupyRAT campaigns; enough evidence to believe that the network had been compromised in what's believed to be an espionage campaign.

"In our assessment based on the traffic we were seeing, this was likely reconnaissance," Priscilla Moriuchi, director of strategic threat development at Recorded Future, told ZDNet.

"Our sense is that given the network activity we're seeing, access to this kind of sensitive information about energy allocation and resourcing would be hugely valuable for adversaries."

Recorded Future has informed the affected target about the attack, and the security company has worked with the energy company to root out the intruders before more damage could be done.

"There's an assumption you can turn off and turn on network attacks but this usually isn't the case," Moriuchi explained.

"Enabling operations or destructive attacks takes this type of months-long reconnaissance and insight into the behaviour of officials at these companies and understanding how a certain capability could impact information or distribution of energy resources."

SEE: Ransomware, snooping and attempted shutdowns: See what hackers did to these systems left unprotected online

Energy companies are frequent targets for cyberattacks, but researchers note that attempts at hacking these networks can often be foiled with security procedures such as introducing two-factor authentication across the network and ensuring that passwords are complex and not re-used on multiple systems.

Network administrators should also monitor attempts to login to the network, as this could reveal something suspicious.

"These groups often use password brute-forcing, so monitoring for multiple login attempts from the same IP with different accounts is something which can be monitored for," said Moriuchi.

Organisations should also ensure their systems are regularly updated with relevant security patches in order to ensure that cyber criminals can't take advantage of known vulnerabilities to gain access to networks.



Editorial standards