Security firm SentinelOne says it’s found the smartest malware it’s ever seen targeted at energy infrastructure, so sophisticated it believes this was an expensive, state-sponsored attack.
Speaking to NS Tech, senior security researcher Joseph Landry said that one unnamed energy company in Europe has already fallen foul of the (nicknamed) SFG malware.
And SentinelOne has pointed the finger at Eastern Europe.
The attack was initiated with a ‘dropper’, which stealthily bypassed anti-virus software and then started describing the architecture of the system back to the computer that was controlling it. At this point, SentinelOne was alerted that something wasn’t quite right.
“These people had the money and resources to buy large amounts of anti-virus products so they could understand the systems they were targeting and create workarounds for each,” Landry explains.
He was then tasked with reverse engineering the malware, looking at its static code, as well as how it acted when it was running, to see what was going on
But it took him a full two days to get it to run.
After that, he found sophisticated use of binary code designed to work on devices running any version of Microsoft Windows. That’d likely count the majority of energy companies, as well as financial service firms.
“This sample knew that at some point it would be analysed and it had a lot of tricks to stop a human from being able to.”
That included a mechanism where it would encrypt itself and die if it knew it was in a secure sandbox.
“I don’t think they were looking for money, they were looking for information, access to machines,” Landry said. “This wasn’t crimeware.”
As ever, SentinelOne recommends layered security measures in order to prevent wide damage across your systems.
“Anything can be targeted, anything can be destroyed,” he warned. “You can’t just use one anti-virus package, you need segmentation across your networks.”
Although Landry didn’t see any evidence of sabotage, he believes this was just the first piece of a staged attack.
“It seemed like initial reconnaissance so they could see what’s on the network then plan the next step.”
And this, of course, is just one example of the growing number of state-sponsored attacks, which, if targeted right, could eventually take out a whole energy grid.
A senior exec at Alphabet-owned Google said earlier this week that it notifies its customers of 4,000 state-sponsored cyber incidents every single month.