Hackers attack the energy industry with malware designed for snooping
Hackers have been targeting energy industry workers with malicious emails containing malware that, when opened, leave the recipients vulnerable to snooping, software security giant Symantec reported Monday.
The campaign has primarily targeted Middle Eastern countries such as the United Arab Emirates, Kuwait, and Saudi Arabia. But it has also afflicted other nations as well, including the United States, the United Kingdom, and Uganda.
Because most of the companies singled out are involved in the energy business, Symantec speculated that the hackers are motivated by industrial espionage. “Whoever is behind these attacks may have a strategic interest in the affairs of the companies affected,” Symantec said in a blog post.
Having monitored this targeted email attack since the beginning of the year, Mountain View, Calif.-based Symantec (SYMC) reports that it discovered the malicious software program at its center on Feb. 11. The malware in question is a so-called trojan horse, a type of harmful software program that disguises itself as an innocent file.
In this case, the trojan—dubbed “Trojan.Loziak” by the researchers—masqueraded as a Microsoft Excel spreadsheet file. Once downloaded on a vulnerable machine, the previously unreported strain of malware steals information—like system configuration data—off of it. The malware appears to help the attackers determine whether a computer contains valuable data, and therefore whether it is an interesting target or not.
Here’s how the attack works: First the trojan performs an initial survey—collecting information about the computer’s name, installed software (including antivirus), and additional hardware specifications—and then it sends those details back to hackers responsible. If the hackers decide to proceed with the attack, they further infect the machines with additional malware, delivered via servers based in the U.S., U.K., and Bulgaria, according to Symantec. These include pieces of malware such as “Back.door.Cyberat” and “Trojan.Zbot,” which steal confidential information and open “backdoors,” leaving systems susceptible to further breaching.
To gain entry, the attack preys on the same vulnerability in Microsoft Windows that has been exploited in past espionage campaigns, such as Red October, the blog says. (Here’s Fortune’s story about a dispute between two security firms over the alleged resurrection of that campaign.)
Although the post concludes that the attack is relatively unsophisticated, it stresses that the campaign still poses a threat to those who do not keep up to date with the latest security updates.
The group behind the attack does not seem to be particularly advanced, as they exploited an old vulnerability and used their attack to distribute well-known threats that are available in the underground market. However, many people still fail to apply patches for vulnerabilities that are several years old, leaving themselves open to attacks of this kind. From the attacker’s perspective, they don’t always need to have the latest tools at their disposal to succeed. All they need is a bit of help from the user and a lapse in security operations through the failure to patch.
As long as users leave known vulnerabilities unrepaired, hackers will be able to continue to exploit computer systems with minimal effort.