A state-backed hacking group based in Iran is suspected of having hacked a European Energy company. The group is believed to have used a Remote Access Trojan (RAT) called PupyRAT in their attack.
What is PupyRAT
Pupy is an open-source RAT written mainly in python that can give attackers full access to victims’ systems. It is a cross-platform piece of malware and can thus infiltrate multiple platforms namely Windows, Linux, OSX and Android.
A Remote Access Trojan (RAT) is malware that allows hackers to monitor and control a victim’s computer or network. It works like legitimate remote access programs often used by technical support to help customers with computer issues.
Although PupyRAT is an open-source piece of malware, it is mainly linked with Iranian state-backed hacking campaigns. It is particularly associated with the APT 33 state-backed hacking group. APT 33 have been involved in past attacks on organization in the energy sector worldwide.
How was the RAT Deployed?
RATs can only be deployed on previously compromised systems. In this instance, researchers don’t know how the PupyRAT was deployed but believe it was distributed via spear-phishing attacks.
Spear-phishing attacks are aimed at a single recipient rather than large numbers of recipients as with normal phishing attacks. Cybercriminals select a target within an organization and use social media and other public information to learn more about their potential victim. They then craft a fake email tailored for that person.
Previous APT 33 campaigns have involved attackers selecting a potential victim and gaining their trust before eventually sending them a malicious document via email. Consequently, researchers believe that it is likely that the same deployment method was used in this case.
Evidence of the Intrusion on the Energy Company
Recorded Future’s Insikt Group reported yesterday that they had found evidence of a PupyRAT Command and Control (C2) server chatting with a mail server from late November 2019 until the 5th of January 2020.
Insikt Group’s report goes on to explain that: “While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion.”
The mail server belonged to a European energy sector organization that coordinates allocation and resourcing of Energy resources in Europe. Given the organization’s role, this attack is of particular interest, especially considering the increase in Iranian-linked intrusions on energy sector ICS software.
Phil Neray, VP of Industrial Cybersecurity at CyberX, commented: “Given the extensive cross-border dependencies across the European energy infrastructure, this appears to be a strategic move by the adversary to focus on a centralized target in order to impact multiple countries at the same time, similar to the strategic value of attacking a single central transmission station rather than multiple remote substations — as Russian threat actors did in the 2016 Ukrainian grid attack compared to their 2015 attack.”
The Attackers’ Objectives
Researchers believe that this latest hacking campaign on European companies in the Energy sector was a reconnaissance mission. The mission is believed to be aimed at gathering important knowledge of energy plants’ processes and their Industrial Control Systems (ICS). The attackers also look to identify weaknesses in companies’ processes and critical infrastructure.
Priscilla Moriuchi, director of strategic threat development at Recorded Future explains: “Enabling operations or destructive attacks takes this type of months-long reconnaissance and insight into the behaviour of officials at these companies and understanding how a certain capability could impact information or distribution of energy resources.”
For countries like Iran, who are suspected of sponsoring these hacking groups, such knowledge can be used against adversaries in cases of conflict. The information can be used to launch cyberattacks to paralyze an adversary’s key sectors, such as power, water and transportation.
With this in mind, it is interesting to note the dates of the hacking campaign. These indicate that the hacking campaign started before the geopolitical tension caused by the killing of Iranian General Qassem Soleimani. Consequently, this cyberattack could not have been a retaliatory attack for Soleimani’s assassination.
Previous Attacks on Critical Infrastructure
Attacks on ICS systems and critical infrastructure have been on the rise in recent years. The reason for this is that they are comparatively easy targets.
The main problem with ICS systems and critical infrastructure like railways and power plants is that most were build before cybersecurity was a consideration. Many of these didn’t have any security systems and some ICS systems still don’t. When they are then retrofitted with security systems, it’s not always easy to know where holes have been left. In fact, many ICS systems, for example, are full of vulnerabilities.
The most famous attack on critical infrastructure was conducted in 2012 using the malware Stuxnet. Stuxnet is a computer worm that specifically targets Programmable Logic Controllers (PLCs). These allow automation of industrial processes and processes to control machinery.
Researchers believe that Stuxnet was developed by American and Israeli intelligence and was used to attack an Iranian nuclear refinery. It both collected intelligence and destroyed thousands of centrifuges used to enrich uranium.