Report Says Group Tied to Iran Could Be Involved
Hackers who may have ties to Iran have recently turned their attention to the European energy sector, using open source tools to target one firm’s network as part of an cyberespionage operation, according to the security firm Recorded Future.
The precise goal of the campaign that the Recorded Future analysts describe in a report released Thursday is not clear, although other studies have found that several Iranian-backed advanced persistent threat groups have targeted U.S. and European businesses connected to the energy sector over the last several years – before the tensions between the U.S. and Iran recently heated up (see: Analysis: Threat Posed by Pro-Iranian Hackers).
In the incident described by Recorded Future, hackers targeted a company described as “a key organization in the European energy sector.” The researchers believe the attack started several months before the Jan. 2 death of Major General Qasem Soleimani, leader of the foreign wing of Iran’s Islamic Revolutionary Guard Corps, in a U.S. drone strike in Iraq.
As part of this campaign, Recorded Future analysts found, the hacking group used readily available open source tools, including a remote access Trojan called Pupy, which is based on the Python programming language and can be downloaded from GitHub. This malware is adept at stealing credentials, passwords and other data, according to the report.
“These tools are usually intended to be used for defensive red-teaming exercises,” according to the Recorded Future report. “One such tool used by several Iran-nexus groups is PupyRAT.”
The incident also shows that various groups associated with Iran now have the capabilities to target these types of companies, says Priscilla Moriuchi, director of strategic threat development at Recorded Future.
“This report proves that Iran has the capabilities and assets to target high-value critical infrastructure organizations and possibly obtain access to sensitive information,” Moriuchi tells Information Security Media Group. “Whoever the attacker is, the findings relate to espionage-motivated intrusion activity or the pre-positioning of network access within a high-value network in the European energy sector.”
The use of the Pupy remote access Trojan and other open source tools has led Recorded Future analysts to suspect that the group behind the hacking is an organization the security firm refers to as APT33, although other researchers call the group Elfin, Refined Kitten, Magnallium and Holmium
Government agencies have also warned about APT33, which is believed to have ties to Iranian intelligence.
In July, for example, U.S. Cyber Command issued a warning about Iranian-connected hacking groups targeting older vulnerabilities in Microsoft Outlook and attempting to install Trojan backdoors (see: US Cyber Command Warns of Outlook Vulnerability Exploits). One of the hacking groups suspected of this activity was ATP33, and one of the tools that the attacker were using was the Pupy remote access Trojan, according to the U.S. Cyber Command warning.
A further analysis by Microsoft also found that APT33 has recently shifted its attention to energy firms in Europe and the U.S., using some of the same open source tools. Instead of targeting IT networks, however, Microsoft researcher believe the group’s targets have shifted toward industrial control systems.
In this latest case, it appears that the intrusion targeting the European energy firm started in November 2019 and continued through at least Jan. 5, according to the Recorded Future report. During this time, researchers found that a command-and-control server associated with the Pupy remote access Trojan attempting to communicate with a mail server located inside the targeted company, according to the report.
“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT [command-and-control] are sufficient to indicate a likely intrusion,” Recorded Future researchers say.
And while the goals of this hacking campaign remain unclear, the targeting of the mail server of this European firm means that the attackers may have accessed highly sensitive material, according to the research report.
“The targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” Moriuchi says. “We believe these findings are significant primarily because the victim is so integral to European energy management.”
Energy Sector Targets
As a result of the escalating tensions between the U.S. and Iran, security analysts have been warning about an increase in cyber incidents in the coming months. An area of concern is the potential targeting of the U.S. energy sector and the national power grid, according to a report released earlier this month by security firm Dragos. That reported noted that at least 11 advanced persistent threat group are targeting this critical infrastructure.
In its report, Recorded Future warns energy sector security teams to watch for sequential login attempts from the same IP against different accounts, which could be a sign of hackers probing for weakness in the network.
The report adds that multifactor authentication is one way to mitigate the risks and that cross-checking IT logs for incidents such as high-frequency lockouts or unsanctioned remote access attempts can help provide early warnings of intrusions.
“CISOs must take an active stand and be the leader of precautionary actions that will better prevent and prepare organizations for these types of incidents. It’s not that CISOs are falling short – this activity is just more difficult to detect than traditional brute forcing,” Moriuchi says.