Connect with us

Hi, what are you looking for?



Furtim’s Parent: State-Sponsored Malware Targets Energy Sector

Endpoint security firm SentinelOne has found and analyzed the dropper framework of the Furtim malware discovered in May. It describes this as the mother ship, and has named it SFG: Furtim’s Parent.

Endpoint security firm SentinelOne has found and analyzed the dropper framework of the Furtim malware discovered in May. It describes this as the mother ship, and has named it SFG: Furtim’s Parent. In a blog post, SentinelOne says it was discovered targeting ‘at least one European energy company’, and describes it as highly sophisticated malware that could be used “to extract data or insert the malware to potentially shut down an energy grid.” 

SentinelOne believes that SFG contains indicators and bears the hallmark of being state-sponsored. It further believes that it may have originated in eastern Europe. Attribution is a difficult subject, and the company would go no further in conversation with SecurityWeek. Nevertheless, we pressed.

It is the volume of evasion techniques and the sophistication of the methods that is key. If it detects a sandbox or indications of manual analysis it shuts down operation and re-encrypts itself to make any further analysis more difficult. That in itself is not new; but the sophistication of the methodology is impressive.

Perhaps more telling however, is the manner in which it by-passes and hides from certain anti-malware products. “It appears,” says Udi Shamir, CSO at SentinelOne, “to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted. Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group.”

“The knowledge to do this,” confirmed co-author Joseph Landry, “has to be learned. It won’t be found on the internet and isn’t shared between gangs.” And it’s not just a deep understanding of AV that is shown. In order to bypass anti-virus and sandboxes, the author also requires a deep knowledge of Windows itself. “Many of these low-level APIs and system calls are undocumented/under-documented and can change between different versions of Windows,” reports the analysis. “To gain an understanding of these functions, one has to be familiar with the Windows Driver Development Kit (DDK), and also [to have] reverse-engineered portions of the Windows operating system.” 

The malware targeted two known exploits (CVE-2014-4113 and CVE-2015-1701), as well as one UAC bypass.

If the sophistication of SFG points the finger at a state-sponsored effort, it is the style that directs it towards eastern Europe. “Chinese hackers will reuse existing code and borrow techniques from others,” said Landry. “The Middle-East hackers will often include boastful comments, possibly because they’re quite new to the game. Eastern Europe tends to be well-written and tight – and this is well-written and tight.”

Advertisement. Scroll to continue reading.

Nevertheless, although SentinelOne knows that it has been targeted at one or more European energy companies, and suspects it originates in eastern Europe, the company will go no further. The danger, of course, is that malware that takes such pains to be invisible might well successfully and invisibly be installed on other targets. And just because it is currently targeting the energy sector, that doesn’t mean it is or always will be limited to that sector.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...