Tag Archive for: energy

North Korean cyberespionage actor Lazarus targets energy providers with new malware

/in


Detecting of a malware. Virus, system hack, cyber attack, malware concept. 3d rendering.
Image: Adobe Stock

Lazarus, also known as Hidden Cobra or Zinc, is a known nation-state cyberespionage threat actor originating from North Korea, according to the U.S. government. The threat actor has been active since 2009 and has often switched targets through time, probably according to nation-state interests.

Between 2020 and 2021, Lazarus compromised defense companies in more than a dozen countries including the U.S. It also targeted selected entities to assist strategic sectors such as aerospace and military equipment.

The threat actor is now aiming at energy providers, according to a new report from Cisco Talos.

SEE: Mobile device security policy (TechRepublic Premium)

Attack modus operandi

Lazarus often uses very similar techniques from one attack to the other, as exposed by Talos (Figure A).

Figure A

lazarus cyber kill chain list according to cisco talos
Image: Cisco Talos. Full attack scheme from the current Lazarus operation.

In the campaign reported by Talos, the initial vector of infection is the exploitation of the Log4j vulnerability on internet-facing VMware Horizon servers.

Once the targeted system is compromised, Lazarus downloads its toolkit from a web server it controls.

Talos has witnessed three variants of the attack. Each variant consists of another malware deployment. Lazarus could use only VSingle, VSingle and MagicRAT, or a new malware dubbed YamaBot.

Variations in the attack also imply using other tools such as mimikatz for credential harvesting, proxy tools to set up SOCKs proxies, or reverse tunneling tools such as Plink.

Lazarus also checks for installed antivirus on endpoints and disables Windows Defender antivirus.

The attackers also copy parts of Windows Registry Hives, for offline analysis and possible exploitation of credentials and policy information, and gather information from the Active Directory before creating their own high-privileged users. These users would be removed once the attack is fully in place, in addition to removing temporary tools and cleaning Windows Event logs.

At this point, the attackers then take their time to explore the systems, listing multiple folders and putting those of particular interest, mostly proprietary intellectual property, into a RAR archive file for…

Source…

North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies

/in


Security researchers have linked a new cyber espionage campaign targeting U.S., Canadian and Japanese energy providers to the North Korean state-sponsored Lazarus hacking group.

Threat intelligence company Cisco Talos said Thursday that it has observed Lazarus — also known as APT38 — targeting unnamed energy providers in the United States, Canada and Japan between February and July this year. According to Cisco’s research, the hackers used a year-old vulnerability in Log4j, known as Log4Shell, to compromise internet-exposed VMware Horizon servers to establish an initial foothold onto a victim’s enterprise network, before deploying bespoke malware known as “VSingle” and “YamaBot” to establish long-term persistent access. YamaBot was recently attributed to the Lazarus APT by Japan’s national cyber emergency response team, known as CERT.

Details of this espionage campaign were first revealed by Symantec in April this year, which attributed the operation to “Stonefly,” another North Korean hacking group that has some overlaps with Lazarus.

However, Cisco Talos also observed a previously unknown remote access trojan — or RAT — named “MagicRAT,” attributed to Lazarus Group, which the hackers use for reconnaissance and stealing credentials.

“The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives,” wrote Talos researchers Jung soo An, Asheer Malhotra and Vitor Ventura. “This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

The Lazarus Group is a financially motivated hacking group backed by the North Korean state that is best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also driven by efforts to support North Korea’s state objectives, including military research and development and evasion of international sanctions.

However, the group has in recent months turned its attention to blockchain and cryptocurrency organizations. It has been linked to…

Source…

Switzerland buys mobile gas turbines as energy backup for winter

/in


Keystone / Sascha Steinbach

The Swiss government has commandeered eight mobile gas turbines to strengthen the country’s energy security. 

This content was published on September 3, 2022 – 13:36

Keystone-SDA/ac

The procurement is the first contract signed under the governing Federal Council’s recent agreement to provide for back-up power plants. This measure will supplement the country’s hydropower reserves, which can be used in a targeted manner in winter if necessary, the Federal Department of the Environment, Transport, Energy and Communications (DETEC) announced on Friday.

The eight mobile gas turbines have been purchased from GE Gas Power and will be installed at the GE site in Birr in the northern Swiss canton of Aargau. They are powered by gas, but also by oil or hydrogen. They will be ready for operation this winter until the end of 2026. The total costs over the entire period amount to CHF470 million (around$480 million).

The setup comprises eight modular turbines of TM2500 type with a capacity of at least 30 megawatts each, making a total of around 250 megawatts. 

In addition, negotiations with other potential suppliers of reserve power plants are still underway. These reserve power plants will be subject to the emissions trading scheme. At the same time, clarifications are being made as to which company will operate the plant.
 

In compliance with the JTI standards

In compliance with the JTI standards

More: SWI swissinfo.ch certified by the Journalism Trust Initiative

Source…

Chinese Hackers Target Energy Sector in Australia, South China Sea

/in


The Chinese state-aligned threat actor TA423 (aka Leviathan/APT40) is behind a sustained cyber-espionage campaign against countries and entities operating in the South China Sea, including organizations involved in an offshore wind farm in the Taiwan Strait.

The threat actor’s most recent campaigns used malicious emails impersonating Australian media organizations, including the fake Australian Morning News, to deliver ScanBox malware for reconnaissance, according to a report drafted by cybersecurity firm Proofpoint, working in collaboration with PwC.

Researchers also observed phishing activity targeting governmental agencies, media companies, and South China Sea wind turbine operators, as well as a European manufacturer supplying equipment for the Yunlin Offshore Windfarm in the Taiwan Strait.

The espionage campaign was active from April through June, with URLs delivered in phishing emails that redirected victims to a malicious website, where the landing page delivered a JavaScript ScanBox malware payload to selected targets.

“The ScanBox-related phishing campaigns identified in April through June 2022 originated from Gmail and Outlook email addresses which Proofpoint assess with moderate confidence were created by the threat actor, and utilized a variety of subject [lines] including ‘Sick Leave,’ ‘User Research,’ and ‘Request Cooperation,'” a blog post on the campaign noted, adding that the phishing campaign is currently ongoing.

ScanBox is a reconnaissance and exploitation framework designed to harvest several types of information, such as the target’s public-facing IP address, the type of Web browser they use, and their browser configuration (language or plugin information, for example). It allows threat actors to profile victims, and to deliver further carefully crafted malware to selected targets of interest.

This serves as a setup for the following stages of information gathering and potential follow-on exploitation or compromise, where malware could be deployed to gain persistence on the victim’s systems and allow the attacker to perform espionage activities.

“It creates an impression of the victim’s network that the actors then study and decide the best route to take to…

Source…