Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hackers Targeting Azerbaijan Show Interest in SCADA Systems

A threat actor that has been spotted targeting Azerbaijan has shown an interest in the energy sector, specifically SCADA systems related to wind turbines, Cisco’s Talos threat intelligence and research group reports.

A threat actor that has been spotted targeting Azerbaijan has shown an interest in the energy sector, specifically SCADA systems related to wind turbines, Cisco’s Talos threat intelligence and research group reports.

The attacks are aimed at both government organizations and private sector companies, and they involve a remote access trojan (RAT) that has not been seen before. Talos has not been able to link the attacks to a known threat actor.

According to Talos, the hackers appear to be interested in the energy sector and industrial control systems (ICS).

Hackers target wind turbine SCADA systems

“We believe information pertaining to SCADA systems, with specific interest to wind turbines, was obtained based on the targeting observed,” Warren Mercer, technical lead at Talos, told SecurityWeek.

As for the new Python-based RAT used in these attacks, Talos has dubbed the malware PoetRAT. Once it has been delivered to a device, its operators can instruct it to list files, obtain information about the system, download and upload files, take screenshots, copy and move files, make changes in the registry, hide and unhide files, view and kill processes, and execute operating system commands.

Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The malware is typically delivered using specially crafted Word documents that act as a dropper. In one campaign observed in February, the fake document was blurred, but appeared to include the logo of the Defense R&D Organisation of the Ministry of Defence in India. However, Talos says it has found no evidence that India has been targeted.

Another campaign, observed in April, involved documents that apparently referenced the COVID-19 coronavirus outbreak. A coronavirus-themed document was also spotted in a different campaign launched this month. The document was written in Russian and it was made to look like an Azerbaijani government document.

Advertisement. Scroll to continue reading.

The server delivering this document was also found to host a phishing page that mimicked the login page of the Azerbaijan government’s mail.gov.az webmail service.

In addition to PoetRAT, the attackers have been spotted delivering other tools to compromised systems, including ones designed for exfiltrating data via email or FTP, for recording the victim through their webcam, logging keystrokes, stealing credentials from browsers, and escalating privileges.

Related: New Snake Ransomware Targets ICS Processes

Related: Cyberspies Target Hundreds of Industrial Firms in South Korea, Other Countries

Related: More Threat Groups Target Electric Utilities in North America

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.