American gas and oil companies have been targeted by a hacking group with ties to the Russian Federation for close to 18 months, a new research report indicates.
The attackers have leveraged watering hole attacks to infect users inside the critical infrastructure organizations to spread a remote access Trojan known as HAVEX. According to Crowdstrike’s 2013 Threat Report, released this morning, the RAT drops malware on compromised machines that sends system information to a command and control server, as well as credential-harvesting tools that steal passwords from browsers, and backdoors that communicate with the hackers’ infrastructure to drop additional payloads. It also uses RSA public key cryptography to encrypt and authenticate the malware files it drops. Generally attackers use low-grade encryption algorithms, said Adam Myers, vice president of intelligence at Crowdstrike.
“It’s well built. The people who had it built had more capable programmers than we’ve typically seen with the Chinese-based adversary,” said Myers. “That was something that piqued our interest when you see a nice clean piece of code like that. The functionality is something that you would typically expect but the leveraging of the RSA encryption algorithm is a lot more complicated than most of the stuff we see. Implementing public key cryptography is fairly unique for these types of attacks.”
threatpost