Security researchers have discovered a new cyber-espionage operation with links to Iranian state hacking groups targeting a major European energy organization.
Recorded Future’s Insikt Group detected command-and-control (C&C) communications between a C&C server and the victim organization, from late November 2019 until at least January 5 2020.
The C&C server is associated with PupyRAT, an open source, post-exploitation remote access Trojan (RAT) used in the past by multiple Iranian threat actor groups such as APT33 and Cobalt Gypsy.
“While metadata alone does not confirm a compromise, we assess that the high volume and repeated communications from the targeted mail server to a PupyRAT C2 are sufficient to indicate a likely intrusion,” the security vendor wrote.
“Whoever the attacker is, the targeting of a mail server at a high-value critical infrastructure organization could give an adversary access to sensitive information on energy allocation and resourcing in Europe.”
Recorded Future emphasized that the activity pre-dates the current escalation in tensions between the West and Tehran, following the US assassination of a leading Iranian general and the downing of a civilian aircraft by Iranian soldiers.
Security experts have warned that the stand-off could lead to a new wave of Iranian attempts to compromise and disrupt critical infrastructure in the US and elsewhere.
In fact, as Recorded Future argued, Iranian state hackers have been “amassing operational network infrastructure throughout 2019,” and shifted their focus from IT networks to physical control systems in utilities, manufacturing facilities and oil refineries.
The firm urged organizations take a defence-in-depth approach to guard against RATs like PupyRat.
This includes: implementing multi-factor authentication, and/or using a password manager to store unique, strong credentials, monitoring for sequential login attempts from the same IP against different accounts and analyzing and cross-referencing log data.