A suspected hacking campaign with Iran has targeted the European energy sector and is believed to be a mission aimed at collecting sensitive information.
The network's penetration into the energy company has been analyzed by researchers at Cybersecurity Recorded Future.
The PupyRAT software used by the attackers is open source malware and can infiltrate Windows, Linux, OSX and Android to give hackers access to the victim's system, including usernames, passwords and sensitive information on the network.
Despite the open source nature of malware, PupyRAT is obviously linked to Iranian government hacking campaigns, especially by the APT 33 team, which has been identified in the past to do attacks targeting critical infrastructure.
Researchers have now identified the malware to have been used in attacks between November 2019 and January 2020.
Dates show campaign began before heightened geopolitical tensions in the Middle East following US airstrike that killed Iranian general Qassem Soleimani.
Researchers have not been able to pinpoint the exact delivery method, but they believe the malware is distributed through phishing attacks. Past campaigns APT 33 had involved assailants presenting themselves as individuals and gaining the trust of potential victims before finally sending them a malicious document.
However, the researchers saw a large amount of network traffic from the energy company targeting repeatedly communicating with command and control infrastructure associated with previous PupyRAT campaigns. The above is enough evidence to believe that the network is involved in what is referred to as espionage.
"In our estimation based on the traffic we were seeing, this was probably 'recognition'," said Priscilla Moriuchi, Director of Strategic Threat Development at Recorded Future, told ZDNet.
“Our sense is that given the network activity we see, access to this kind of sensitive information about power distribution and supply resources will be extremely valuable to opponents. "
Recorded Future has informed the target of the attack and the company security has worked with the energy company to eliminate intruders before more damage is done.
"Activating businesses or disaster strikes gets this kind of monthly recognition and insight into employee behavior in Companies and understanding how a particular capability could affect information or the distribution of energy resources. "
However, researchers note that hacking attempts on these networks are often prevented by security procedures, such as introducing two-factor authentication across the network and ensuring that passwords are complex and are not reused in many systems.
Network administrators should also keep an eye on network connection attempts, as this could reveal something suspicious.
"These groups often use password brute-forcing, so tracking multiple login attempts from the same IP address with different accounts is something that can be monitored," Moriuchi said.
Agencies should also ensure that their systems are regularly updated with appropriate security updates to ensure that criminals in cyberspace cannot exploit known vulnerabilities to access networks.