Cyber security sleuths have uncovered a series of hacking attacks targeting shipping, transportation and utility companies, highlighting the dangers of targeted malware raids on specific firms and sectors.
Researchers at Palo Alto Network’s Unit 42 threat intelligence division identifiedOpens a new window a malware Trojan they christened xHunt. A Trojan is a malicious tool disguised as legitimate software downloaded by attackers on to victims’ computers and networks.
The xHunt Trojan was first observed between last May and June when a transport and shipping company in Kuwait was compromised. The attackers installed a back-door tool named Hisoka. It allowed two other hacking tools, named Gon and EYE, to be downloaded to the company’s network.
Gon can upload and download files, take screen shots, explore other systems on the network and remotely control desktops. The EYE tool can erase all signs of the illicit processes when a legitimate user logs on the system.
Similar to previous attacks
The tools allowed the attackers to observe activity on the network and extract files and data without being detected. Unit 42 did not disclose whether sensitive data was compromised. It did not describe how the malware entered the networks.
But the researchers noted that the attack bore similarities to tools used in 2018 named Sakabota which they believe may have originated from the same author. The tools also overlapped with a hacking campaign called OilRig that was associated with the Iranian government.
The malware was dubbed xHunt because the attacking tools were named after the Hunter x Hunter Japanese Manga series. A second shipping and transport company in Kuwait was also targeted in June.
The growing threat
Targeted malware campaigns have raised alarms in corporate IT departments because the tools are tailored to specific businesses, sectors and countries. They contrast to commodity malware, which is launched against any network or computer in which it can gain access.
Commodity malware tends to be discovered quickly, given its widespread use, and remedies are found and typically posted online. But targeted malware is more sophisticated and can be difficult to identify and remove.
A second malware attack was uncoveredOpens a new window this week, this time targeting utilities in the United States. Researchers at ProofpointOpens a new window identified an attack against 17 U.S. utility companies between April and August using a remote access Trojan named LookBack.
Remote Access Trojans contain a backdoor to gain control over a computer. The LookBack malware was identified in August, and Proofpoint believes it may be state-sponsored.
The malware was downloaded on to employees’ computers after they clicked on phishing emails. The emails masqueradedOpens a new window as messages from a legitimate domain for Global Energy Certification, a utility industry licensing body. The emails contained a legitimate PDF for a GEC exam to give the air of authenticity, but also included a malicious Word attachment that installed the malware Trojan on to computers when clicked.
LookBack can view and process data, delete files, move and click a mouse, execute commands and take screenshots and other processes.
State-sponsored danger
State-sponsored attacks are a clear and present danger. The attack has not been attributed to any group, but the researchers believe Chinese hackers could be behind it. LookBack has in the past targeted sensitive utility operations such as nuclear plants, power grids, wind farms and coal plants.
Both attacks highlight the need for businesses to keep their cyber security systems Curren and to use the latest defenses against the ever-present threats of hacking.
Companies operating in sensitive areas such as logistics and energy are susceptible to nation-state attacks trying to undermine critical infrastructure. Finance, travel and retail businesses are targets because they process huge amounts of personal data including credit card details.
The most basic step is to make sure all employees can identify, report and delete any emails containing suspicious attachments or links.
Phishing is among the most common method hackers use to gain entry to corporate networks. It seems unlikely any company will escape unscathed because hackers are stepping up their cyber attacks.