FBI Alerts to Ongoing Targeted Supply-Chain Cyberattacks
Hackers are targeting supply-chain vendors in an effort to install Kwampirs malware, a remote access trojan (RAT) and gain access to the victim’s connected business partners and customers.
By - The FBI recently sent an alert to privates sector organizations warning them that hackers are targeting supply-chain vendors with Kwampirs malware cyberattacks, in an effort to gain access to the victim’s connected business partners and customers, first reported by ZDNet.com.
Software supply chain companies are the primary target, but the FBI also warned the malware is behind attacks on the healthcare, energy, and financial sectors. The victims were not named, but it’s believed these attacks are designed for global distribution, generation, and transmission.
Kwampirs is a remote access trojan (RAT), and the first surge of attacks was reported by Symantec in April 2018. Leveraged by the notorious Orangeworm hacking group, the virus first targeted the healthcare, pharmaceutical, and IT solution sectors, as well as those in manufacturing, agriculture, and logistics.
The attacks appeared to be focused on corporate espionage, as the group conducted a substantial amount of research and planning before launching the targeted attacks. Once Kwampirs is installed, it collects data from the victims’ networks to determine the value of the victim organization.
If deemed valuable, the hackers copy the malware across the open network in an effort to infect all connected devices, as it continues to harvest data such as recently accessed computers, network adaptors, available network shares, and the like.
Kwampirs is also known to exploit shared credentials and has been found on software used to control medical imaging machines.
“We believe that these industries have also been targeted as part of a larger supply-chain attack in order for Orangeworm to get access to their intended victims related to healthcare,” researchers explained at the time.
“While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products,” they added.
In total, about 40 percent of the group’s first victims were part of the healthcare sector.
The latest surge appears to be focused on those in the industrial control systems sector, but the FBI also warned that it appears the hacking group now shares multiple similarities with the data-wiper malware known as Shamoon. Shamoon is linked to the APT33 hacking group based out of Iran. Wiper malware is designed to destroy data, disrupt operations, and can lead to an organization losing its entire network.
“While the Kwampirs RAT has not been observed incorporating a wiper component, comparative forensic analysis has revealed the Kwampirs RAT as having numerous similarities with the data destruction malware Disttrack (commonly known as Shamoon),” the FBI warned.
In response, organizations should be scanning and monitoring their networks for signs of compromise. Recently released supply chain risk management guidance from NIST and the Healthcare and Public Health Sector Coordinating Council (HSCC) can also help healthcare providers ensure they are limiting the risk posed by its long list of supply chain vendors.
