Attacks/Breaches

12/19/2017
05:38 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Another Cyberattack Spotted Targeting Mideast Critical Infrastructure Organizations

Operation Copperfield appears focused on data theft and reconnaissance, Nyotron says.

Damaging attacks from second and third-tier nation-state threat actors – especially in the Middle East - could become more of a pressing issue for enterprises next year if a couple of recent incidents are any indication.

Days after FireEye reported a recent attack where a likely nation-state actor disrupted operations at a critical infrastructure facility in the Middle East, there's another report of an ominous new cyberattack campaign targeting similar organizations in the region.

This time, the warning is from Nyotron, which says it has spotted a threat actor with likely links to Saudi Arabia, Iran, or Algeria using a repurposed malware tool to target specific critical infrastructure organizations in the Middle East.

The tool, which Nyotron has dubbed Copperfield, is based on H-Worm aka Houdini, a four-year-old remote access trojan (RAT) believed to be the work of an Algerian hacker. The malware is primarily being spread via infected USB drives; once installed on a system, it uses other methods to propagate.

The operators of the Copperfield campaign have used a $25 generic crypter tool called BronCoder to change the structure and hash of the Visual Basic Script-based H-Worm so it cannot be spotted by typical signature-based anti-malware tools.

The attackers have also use a unique masquerading technique to conceal files on infected systems and replace them with identically named malicious LNK files with the same icons as the hidden files. When a user clicks on a malicious file, it executes exactly as expected, but while running malicious commands silently in background.

Like H-Worm, Copperfield uses an automation tool in Windows — Windows Script Host — to gain full control of an infected system. It then can perform tasks like collecting and transmitting system information, exfiltrating data to an external server, downloading and executing keyloggers and other malware, and updating itself.

"We believe that H-worm was an inspiration for Operation Copperfield," says Nir Gaist, Nyotron's chief technology officer. "However the Copperfield worm is significantly more sophisticated and professionally developed ... Among the core enhancements is the infection mechanism that has been introduced in the wild for the first time."

Based on the malware tool's capabilities, the main goals of Operation Copperfield appear to be data theft for the purposes of conducting reconnaissance on critical infrastructure targets, Gaist says.

'La La Land'

Nytoron spotted Copperfield activity earlier this month when its software identified and stopped the malware from causing damage on a shared workstation at one of the security vendor's Middle Eastern clients. The malware was introduced on the system via a USB drive that a night-shift worker had plugged in to watch the movie La La Land, which he had recently downloaded on it.

Gaist says Nyotron is still collecting information on the scope of the campaign and its main purpose. But the company has found infections in countries as dispersed as China, Columbia, South Korea, and Iran.

Nyotron's investigation of the incident at its client showed the attackers using a command and control server apparently based in Mecca, Saudi Arabia, to run the campaign. "The worm was designed to execute any shell command sent from the C&C, and specific commands were developed for uploading and downloading data," Gaist says.

"The spread mechanism of Operation Copperfield and previously unseen masquerading techniques, leads us to believe that the attacker, who's currently still active, is relatively sophisticated," he notes. 

Evidence suggests that the attackers are Saudi Arabia-based. But some of the language used in the malware code and previous attributions to H-Worm suggest an Iranian or an Algerian connection as well.

The Nyotron advisory comes just days after FireEye's warned about an incident where threat actors gained access to a critical safety system at an industrial facility in the Middle East and inadvertently triggered a shut down of a process there. The attacks suggest heightened cyber threat activity in the region and the growing sophistication of the groups behind it.  

In September, Palo Alto Networks reported finding a large adversary infrastructure in the Middle East comprised of numerous credential harvesting systems, C&C servers, compromised websites, and post-exploitation tools available to threat actors in the region. Another study by Trend Micro uncovered a booming underground market for malware in North Africa and the Middle East, where many sophisticated tools are being distributed for free or next to nothing to threat actors in the region.

Threat actors in mid-tier countries have acquired the capability to take on critical infrastructure and other targets in advanced nations Nytoron said in its report.

"Tier-2 and tier-3 nation states (and their for-hire agents) will mostly drive bolder actions that aim to disrupt economies of their adversaries, impact unfavorable legislation or simply create fear and uncertainty in the market and among the targeted population," the vendor noted.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-1265
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 does not validate, or incorrectly validates, a certificate. This weakness might allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) techniques. IBM X-Force ID: 124740.
CVE-2017-1272
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referrer header or browser history. IBM X-Force ID: 124747. IBM X-Force ID: 124747.
CVE-2017-1597
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0, 10.0.1, 10.1, 10.1.2, 10.1.3, 10.1.4, and 10.5 Database Activity Monitor does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts. IBM X-Force ID: 132610.
CVE-2018-1889
PUBLISHED: 2018-12-17
IBM Security Guardium 10.0 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152080.
CVE-2018-1891
PUBLISHED: 2018-12-17
IBM Security Guardium 10 and 10.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 152082.