Attacks recently identified to target a key organization in the European energy sector have employed a remote access Trojan (RAT) previously associated with Iran-linked threat actors, Recorded Future reports.
Dubbed PupyRAT, the backdoor is an open source piece of malware available on GitHub. Mainly written in Python, the threat is advertised as cross-platform, with support for various functions for post-exploitation.
The malware, Recorded Future’s security researchers explain, was previously used by several Iranian hacking groups, including APT33 (also known as Elfin, Magic Hound and HOLMIUM) and COBALT GYPSY, which overlaps with APT34/OilRig.
These two groups have been known to target energy sectors in the United States, Europe, and elsewhere, and Iranian hackers were previously observed making heavy use of freely available commodity malware such as PupyRAT, Recorded Future notes.
The researchers were able to identify a PupyRAT command and control (C&C) server that communicated with a mail server for a European energy sector organization between November 2019 and at least January 5, 2020.
“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C&C are sufficient to indicate a likely intrusion,” Recorded Future explains.
What the security researchers could not confirm was that the identified C&C server was indeed being used by either APT33 or COBALT GYPSY. The intrusion predates the recent escalation of activity between the U.S. and Iran.
However, the attack is of particular interest, given the organization’s role in the coordination of European energy resources, especially amid an increase in Iranian-linked activity targeting energy sector industrial control software.
“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe,” the cyber-security company points out.
Phil Neray, VP of Industrial Cybersecurity at CyberX, commented on the report, “We’ve recently seen increased use of open-source malware by Iran-sponsored threat actors, but what’s particularly interesting about this attack is that it targets an energy sector organization involved with ‘coordination of European energy resources.’
“Given the extensive cross-border dependencies across the European energy infrastructure, this appears to be a strategic move by the adversary to focus on a centralized target in order to impact multiple countries at the same time, similar to the strategic value of attacking a single central transmission station rather than multiple remote substations — as Russian threat actors did in the 2016 Ukrainian grid attack compared to their 2015 attack,” Neray told SecurityWeek.
To stay protected from PupyRAT and similar commodity backdoors, organizations should monitor for sequential login attempts from the same IP against different accounts, employ multi-factor authentication, use a password manager and set strong, unique passwords.
Moreover, Recorded Future recommends that organizations analyze and cross-reference log data for lockouts, remote access attempts, attack overlaps across multiple accounts, and other possible signs of intrusion.
*updated with comments from Phil Neray
Related: Iranian APT33 Hackers Use Special Botnets for High-Value Targets in U.S.
Related: Researchers Analyze Tools Used by ‘Hexane’ Attackers Against Industrial Firms