A threat actor that has been spotted targeting Azerbaijan has shown an interest in the energy sector, specifically SCADA systems related to wind turbines, Cisco’s Talos threat intelligence and research group reports.
The attacks are aimed at both government organizations and private sector companies, and they involve a remote access trojan (RAT) that has not been seen before. Talos has not been able to link the attacks to a known threat actor.
According to Talos, the hackers appear to be interested in the energy sector and industrial control systems (ICS).
“We believe information pertaining to SCADA systems, with specific interest to wind turbines, was obtained based on the targeting observed,” Warren Mercer, technical lead at Talos, told SecurityWeek.
As for the new Python-based RAT used in these attacks, Talos has dubbed the malware PoetRAT. Once it has been delivered to a device, its operators can instruct it to list files, obtain information about the system, download and upload files, take screenshots, copy and move files, make changes in the registry, hide and unhide files, view and kill processes, and execute operating system commands.
Learn more about threats to industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
The malware is typically delivered using specially crafted Word documents that act as a dropper. In one campaign observed in February, the fake document was blurred, but appeared to include the logo of the Defense R&D Organisation of the Ministry of Defence in India. However, Talos says it has found no evidence that India has been targeted.
Another campaign, observed in April, involved documents that apparently referenced the COVID-19 coronavirus outbreak. A coronavirus-themed document was also spotted in a different campaign launched this month. The document was written in Russian and it was made to look like an Azerbaijani government document.
The server delivering this document was also found to host a phishing page that mimicked the login page of the Azerbaijan government’s mail.gov.az webmail service.
In addition to PoetRAT, the attackers have been spotted delivering other tools to compromised systems, including ones designed for exfiltrating data via email or FTP, for recording the victim through their webcam, logging keystrokes, stealing credentials from browsers, and escalating privileges.
Related: New Snake Ransomware Targets ICS Processes
Related: Cyberspies Target Hundreds of Industrial Firms in South Korea, Other Countries
Related: More Threat Groups Target Electric Utilities in North America
