Researchers have reported increased cyber activity within the European energy sector by a high-profile hacking group. The increased activity is possibly linked to Iranian state sponsored attacks. The hackers conducted cyber espionage and gained remote access using the a tool called PupyRAT, targeting mail servers and setting up a communications channel. SKOUT previously advised on state sponsored attacks by Iran. (Threat Advisory 003-20) Companies working with critical infrastructure should be extra vigilant and refer to to recommendations section below.
Technical detail and additional information
What is the threat?
There has been additional reports of possible Iranian cyber attacks. The tool used in this attack, PupyRAT, has been seen in previous operations conducted by hacking groups associated with Iran. In the energy sector, hacking groups supported by Iran target critical infrastructure organizations such as this one. The threat can be quite large when energy sector organizations have complex computer systems connected to physical systems.
Why is this noteworthy?
In the last year, security researchers have tracked hacking groups supported by Iran whose major operations involved setting up computer network infrastructure. It can be helpful to be aware of network intrusions into energy sector organizations carried out by these hacking groups. Targeting a key resource such as this organization in the European energy sector may be of interest for the hacking group’s operations.
What is the exposure or risk?
Energy sector employees may work in critical environments that depend on the security of information systems for the overall safety of themselves and others. Important assets include information technologies, operational technologies, physical control systems, safety systems, and industrial control systems. Cybersecurity in this domain protects from unauthorized activity, damage done, and loss of business operations. The risks can range from halting business wide functions to impacting the distribution of energy resources.
What are the recommendations?
Small to large scale computer network hacking especially within the energy sector can take months and numerous steps to achieve. As seen in the incident in this case, it is possible to disrupt those efforts with proactive security strategies and employees who are aware of the threats facing their organization as well as understanding the following:
- Being familiar with social engineering techniques which is the act of influencing another person to do something they normally wouldn’t such as divulging sensitive information.
- Being on the alert for spear phishing methods such as suspicious email messages, phone calls, text messages, and other forms of messaging that may have a malicious intent.
- Ensuring that passwords are complex and not re-used on multiple systems.
- Implementing two-factor authentication for employees, computers, and systems on the network.
- Network administrators should also monitor excessive multiple login attempts to the network, as this could reveal unusual activity.
- Updates should be done on applicable systems to avoid known vulnerabilities from being exploited leading to further compromise and breaches.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.