Connect with us

Hi, what are you looking for?



Iran-Linked RAT Used in Recent Attacks on European Energy Sector

Attacks recently identified to target a key organization in the European energy sector have employed a remote access Trojan (RAT) previously associated with Iran-linked threat actors, Recorded Future reports.

Attacks recently identified to target a key organization in the European energy sector have employed a remote access Trojan (RAT) previously associated with Iran-linked threat actors, Recorded Future reports.

Dubbed PupyRAT, the backdoor is an open source piece of malware available on GitHub. Mainly written in Python, the threat is advertised as cross-platform, with support for various functions for post-exploitation.

The malware, Recorded Future’s security researchers explain, was previously used by several Iranian hacking groups, including APT33 (also known as Elfin, Magic Hound and HOLMIUM) and COBALT GYPSY, which overlaps with APT34/OilRig.

These two groups have been known to target energy sectors in the United States, Europe, and elsewhere, and Iranian hackers were previously observed making heavy use of freely available commodity malware such as PupyRAT, Recorded Future notes.

The researchers were able to identify a PupyRAT command and control (C&C) server that communicated with a mail server for a European energy sector organization between November 2019 and at least January 5, 2020.

“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C&C are sufficient to indicate a likely intrusion,” Recorded Future explains.

What the security researchers could not confirm was that the identified C&C server was indeed being used by either APT33 or COBALT GYPSY. The intrusion predates the recent escalation of activity between the U.S. and Iran.

Advertisement. Scroll to continue reading.

However, the attack is of particular interest, given the organization’s role in the coordination of European energy resources, especially amid an increase in Iranian-linked activity targeting energy sector industrial control software.

“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” the cyber-security company points out.

Phil Neray, VP of Industrial Cybersecurity at CyberX, commented on the report, We’ve recently seen increased use of open-source malware by Iran-sponsored threat actors, but what’s particularly interesting about this attack is that it targets an energy sector organization involved with ‘coordination of European energy resources.’

Given the extensive cross-border dependencies across the European energy infrastructure, this appears to be a strategic move by the adversary to focus on a centralized target in order to impact multiple countries at the same time, similar to the strategic value of attacking a single central transmission station rather than multiple remote substations — as Russian threat actors did in the 2016 Ukrainian grid attack compared to their 2015 attack, Neray told SecurityWeek.

To stay protected from PupyRAT and similar commodity backdoors, organizations should monitor for sequential login attempts from the same IP against different accounts, employ multi-factor authentication, use a password manager and set strong, unique passwords.

Moreover, Recorded Future recommends that organizations analyze and cross-reference log data for lockouts, remote access attempts, attack overlaps across multiple accounts, and other possible signs of intrusion.

*updated with comments from Phil Neray

Related: Iranian APT33 Hackers Use Special Botnets for High-Value Targets in U.S.

Related: Researchers Analyze Tools Used by ‘Hexane’ Attackers Against Industrial Firms

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.