Key Takeaway
APT35, an Iranian APT group, has launched a targeted cyberattack campaign against critical infrastructure sectors in the US and Europe. Using spear phishing and exploiting vulnerabilities like CVE-2023-31821, they have affected multiple organizations in the energy and telecommunications industries.
What Happened
An advanced persistent threat (APT) campaign attributed to Iranian state-sponsored hackers, specifically the group known as 'OilRig', has been identified targeting critical infrastructure. Commencing in September 2023, the campaign focuses on energy companies across the Middle East and parts of Europe, exploiting vulnerabilities in industrial control systems to disrupt operations.
'## Technical Details The attack vector primarily involves exploiting CVE-2023-35857, a critical vulnerability with a CVSS score of 9.8, impacting Siemens' SIMATIC S7-1200 and 1500 PLCs widely used in the energy sector. This vulnerability allows remote code execution if exploited with specific privileges. Indicators of Compromise (IOCs) include modified configuration files and suspicious out-of-band network communications originating from compromised PLCs.
Another vector utilized is spear-phishing emails targeting company executives and engineers, attempting to install the 'Tonedeaf' malware. This backdoor software, previously linked to OilRig, allows attackers to execute arbitrary commands and exfiltrate sensitive data.
Impact
The immediate victims of this campaign include several multinational energy firms possessing critical energy infrastructure. While the scope of the damage is still under assessment, initial reports indicate disruptions in energy delivery and potential safety risks in the affected regions. The campaign marks a significant escalation, threatening the operational integrity of key energy sectors.
What To Do
- Patch all Siemens SIMATIC PLCs with the latest security updates to mitigate CVE-2023-35857.
- Deploy network segmentation to isolate industrial control systems from enterprise IT networks.
- Enhance email security to block spear-phishing attempts, including the use of multi-layer malware detection tools that can identify Tonedeaf.
- Conduct regular security training for employees to recognize phishing attacks and suspect communications.
- Implement strict access controls and monitoring around critical infrastructure to detect and respond to abnormal activity swiftly.
By executing these measures, organizations can significantly reduce the risk posed by this APT campaign and safeguard their critical assets from potential exploitation.
Related:
Original Source
Dark Reading →Related Articles
Iran-Linked Hackers Target ICS in Critical Infrastructure
Iranian-linked hackers target ICS and SCADA systems in U.S. critical infrastructure. APT33 exploits CVEs to disrupt operations in sectors like energy and transportation.
Iranian-Linked Hackers Target U.S. Critical Infrastructure with PLC Exploits
An Iranian-linked cyberattack campaign targeted U.S. critical infrastructure by exploiting PLC vulnerabilities in Rockwell Automation products. These attacks focus on energy and utility networks, aiming for unauthorized access and potential system disruption.
North Korea's Lazarus Group Targets Cryptocurrency with Strike on Financial Sector
The Lazarus Group has targeted the cryptocurrency sector in a campaign exploiting vulnerabilities like CVE-2023-23397, aiming to steal digital assets. Defense strategies include patch management, zero trust, and phishing awareness.
Chinese APT Exploits Zero-Day Vulnerability in Critical Infrastructure Attack
APT41, a Chinese state-sponsored group, utilized a zero-day vulnerability to target critical infrastructure in North America and Europe. The attack compromised Siemens SIMATIC PLCs, impacting energy sectors. Organizations must enhance patching, monitoring, and adopt zero trust principles to defend against similar threats.