Energy sector under attack from malware combo attacks

News by Davey Winder

Kaspersky products were triggered on 41.6 percent of ICS computers in the energy sector globally in just the first six months of 2019.

Cyber-incidents that impact industrial control systems (ICS) can be amongst the most worrying that security professionals have to tackle. Not just from the production downtime, and consequential financial losses, that often result either; if that incident happens in a sector such as energy then the implications have a much broader and critical reach. Which is why the latest Kaspersky ICS CERT report makes for very difficult reading.
Kaspersky products were triggered on 41.6 percent of ICS computers in the energy sector globally in just the first six months of 2019. 
Many of the incidents involved malware not designed with an ICS target in mind; crypto-currency miners, spyware and worms forming the bulk of the conventional malware threat. These threats should not be underplayed as they can steal data that can be employed to develop further attacks; execute malicious software and provide an attacker with a route to control infected computers remotely.
When it comes to more targeted threats, the Kaspersky report also mentioned AgentTesla, a Trojan with a spyware payload that's designed to steal authentication data, screenshots, and capture inputs from camera and keyboard for example. "The AgentTesla spyware poses a serious threat to industrial systems," the report states, "because it is used in targeted attacks and the data stolen can be used to plan and carry out subsequent stages of the attack."
Then there's the Meterpreter backdoor which was found being used to remotely control computers' energy system networks. "Meterpreter has significant capabilities related to providing stealthy remote control of infected machines," the report states, "because it uses a reflective malicious code injection technique. The technique enables attackers to load arbitrary malware directly into executable memory on a computer attacked by the backdoor."
"This report has identified that security experts should be particularly cautious about malicious software that aims to steal data, spy on critically important objects, penetrate the perimeter and destroy the data," Kirill Kruglov, a security researcher at Kaspersky, said, "all of these types of incident could cause lots of trouble for industry."
Given the aforementioned potential for downtime, disruption and even danger to life that attacks on critical systems in the energy sector pose, SC Media UK reached out to infosecurity professionals for their take on the energy sector threatscape.
"The very nature of the energy sector, high value targets, distributed sensors and devices across multiple sites, as well as the convergence of IT and OT, gives a huge surface area for attack," Raj Kapoor, field application engineer at Telesoft Technologies, says. That much of the malware being used isn't specifically designed for the ICS environment could be down to "malware no longer under prescriptive human or machine control," Kapoor says, possibly even AI-driven malware.
Or it could be "rogue attackers trying their luck," Kapoor continues, "or even part of wider APT campaigns forcibly accelerating innovation and growth in red and blue team resource." What is clear to Kapoor is the cross-over and evolution of malware use across domains and networks they were not originally intended for. 
Glen Warwick, principle cyber security consultant at Bridewell Consulting, isn't surprised to see this attack pattern. "Most malware attacks are not explicit about what or who they are targeting," Warwick told SC Media UK. Meanwhile, Sivan Nir, threat intelligence team leader at Skybox Research Lab, reminds us that "hackers of any ilk also love to re-use and re-purpose malware and exploits to maximise their investment in developing or purchasing it," so is equally unsurprised that traditional IT attack vectors are being applied to the OT space. "As IT and OT are increasingly connected," Nir warns, "we’ll see risks shared between these networks."
When it comes to more targeted threats, Proofpoint researchers recently reported  how spearphishing campaigns were targeting three US companies in the utilities sector. "The phishing emails appeared to impersonate a US-based engineering licencing board, the US National Council of Examiners for Engineering and Surveying," Kevin Epstein, vice president of threat operations at Proofpoint, told SC Media UK. "We continue to see LookBack malware campaigns targeting the utilities sector in the United States," Epstein says, "our analysis shows that these are APT actors using custom tools to target critical infrastructure. It demonstrates that from a tool development standpoint they are attempting to improve and increase the success rates of their campaigns."
Earlier this month, Mimecast Threat Intelligence Centre research highlighted a determined attack against an energy company in the US which utilised Hawkeye and Loki malware, both non-ICT specific. "This particular targeted attack was identified as detection activity was significantly different from that which normally occurs day-to-day against the sector," Carl Wearn, head of e-crime at Mimecast, says. "The most determined attackers will use a mixture of tactics to attempt to force compromise of a targeted system by any means possible," Wearn concludes, "this will increasingly include the use of combined tactics including various basic phishing attacks, generic trojans, advanced bespoke malware, exploits and even lifestyle pattern analysis when necessary."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews