Last week the US Federal Bureau of Investigation (FBI) sent out an alert warning the private industry of continued attacks carried out against software supply-chain companies. The report is yet to be released to the public as it is intended as a Private Industry Notification (PIN) which is only sent to selected industry partners and not the public at large. However, details of the alert have been provided to ZDNet who learned that attackers are attempting to infect companies with the Kwampirs malware. According to the alert sent out by the FBI stated,
“Software supply chain companies are believed to be targeted to gain access to the victim's strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution,”
In addition to attacks carried out against software supply-chain companies, the attackers have also used the malware in attacks against companies in the healthcare, energy, and financial sectors. While the alert did not name any of the victims involved in the attacks it did provide IOCs (indicators of compromise) and YARA rules which would enable organizations to scan for the Kwampirs malware and mitigate any infection if the malware was found on the organization's network.
Kwampirs is defined as a remote access trojan (RAT) which is malware specifically designed to create a backdoor into an infected network. The backdoor is intended to provide the attacker with administrative privileges which would allow the attacker to download and install other types of malware. Traditionally RATs are hard to detect as they carry out actions incredibly similar to legitimate applications.
Kwampirs was initially discovered by researchers at Symantec in April 2018. At the time of discovery, the malware was been deployed by a hacker group codenamed Orangeworm who had been active since 2015. The modus operandi of the group was to target companies in the healthcare industry, be they IT suppliers, pharmaceutical suppliers, healthcare providers or any other company falling within the healthcare sector. During the campaign discovered in 2018 researchers noted that companies within the healthcare sector amounted to 40% of the victims targeted by the group. As to the Kwampirs malware is was discovered on MRI and X-ray machines along with the usual machines, like PCs, prone to infection. The malware was also propagated aggressively with little to no emphasis on stealth showing that the group was not concerned with being discovered.
Symantec’s findings were later confirmed by Lab32 in 2019 whose analysis provided more information on the Kwampirs malware with most of the information being technical in nature. Symantec’s published research analyzed the targets of the campaign, noting the emphasis on the healthcare industry. Further, researchers stated,
“Orangeworm's secondary targets include Manufacturing, Information Technology, Agriculture, and Logistics…While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products.”
FBI Lists New Attacks Targeting Energy Sector
In both Symantec’s and Lab32’s analysis there was no attributing a country of origin for Orangeworm. At the time of Symantec’s report researchers stated that the attacks did not have the hallmarks of a nation-state actor and believed Orangeworm to the work of an individual or small group of individuals. Further, no attempt was made to determine the attackers’ intentions other than information gathering, particularly information relating to the network the malware had successfully infected. Now, the FBI warns that attacks employing Kwampirs have now evolved to targeting companies in the ICS (Industrial Control Systems) sector, and especially the energy sector.
The alert also warns that new evidence from code analysis suggests that Kwampirs contains code similarities with Shamoon, a data-wiping malware developed by APT33, an Iranian-linked hacking group. The FBI stated,
“While the Kwampirs RAT has not been observed incorporating a wiper component, comparative forensic analysis has revealed the Kwampirs RAT as having numerous similarities with the data destruction malware Disttrack (commonly known as Shamoon),”
It is unclear if the FBI regards this link to Shamoon and by extension APT33 as definitive proof that the Iranian state-sponsored group is indeed behind the latest wave of attacks or the ones attributed to Orangeworm. What is known, however, is APT33’s tactics which specifically target companies in the Oil and Gas industry. Companies targeted by Shamoon in the past were often linked geographically or politically to those deemed Iranian enemies. In January 2020, Saudi Arabia’s National Cybersecurity Authority warned of a new wiper, called Dustman, believed to be operated by Iranian state-sponsored threat actors. The timing of the discovery and subsequent announcements occurred during a period of heightened tensions between Iran and the US. Cooler heads insisted that the development of Dustman was not a result of these intentions but rather the daily operation of groups like APT33.
Both the January incident and the recent FBI alert should not be viewed in the confines of political tensions. Rather these events display the potential for state-sponsored groups, not only in Iranian but in several other states, of carrying out disruptive and dangerous operations. For the companies targeted there is the very real likelihood that they could lose millions attempting to recover from such attacks, especially if it is later proven that their cyber-security measures and policies were not up to scratch.