SentinelOne researchers discovered what they believe to be a sophisticated nation-state sponsored malware campaign targeting at least one European electric company.
The researchers believe the malware originated in Eastern Europe and a dropper tool is most likely being used to first gain access to targeted network users, and then to introduce a payload designed to extract data or potentially shut down an energy grid, according to a July 12 blog post.
The malware appears to be targeting facilities that not only have software security in place, but physical security as well and that the exploit affects all versions of Microsoft Windows and is known to exploit the CVE-2014-4113 and CVE-2015-1701 vulnerabilities, the post said. SentinelOne said it is unknown which attack vector is used by the malware and it is possible that infection is spread via physical access or phishing emails.
Researchers said the malware is designed to bypass traditional antivirus solutions, next-generation firewalls, and even more recent endpoint solutions that use sandboxing techniques to detect advanced malware.
“The sample evasion and the technique this malware uses to remove the antivirus is not common—it runs at a very early stage in the boot process, before the antivirus software is loaded,” SentinelOne Chief Security Officer Udi Shamir told SCMagazine via emailed comments. “Also, steps have to be taken before the reboot to remove any antivirus that would be running during this early boot time.”
The payload used in the attack was a simple data exfiltrator that can efficiently send data to an outside adversary and he said the sample obtained by researchers most likely exploits old vulnerabilities in unpatched systems.
Shamir noted that the infection doesn't spread on its own and that there is no concern for infection by this variant, however he said it is very possible for attackers to use this technique outside of Europe.
The energy industry requires substantial investment to tilt the playing field towards defense, Tim Erlin, Senior Director of IT Security and Risk Strategy at Tripwire told SCMagazine.com via emailed comments.
“We've already seen that the industrial systems controlling the power grid can be vulnerable to cyber attacks,” he said. “It's no surprise that governments are investing in an expanding arsenal of tools to leverage these weaknesses.
Tripwire Chief Technology Officer Dwayne Melancon agreed and added that it pays to make a cyber cooks' lives more difficult.
“For example, implementing multi-factor authentication to prevent access using only a password is crucial,” Melancon said. “Additionally, organizations should segment their networks to limit the amount of sensitive information that can be accessed by a single account.”