The FBI has warned private sector companies of an active hacker campaign with the increase of supply chains attacks. Attackers seek to compromise software vendors by infecting developers with the Kwampirs Trojan.
The FBI also reports that the same malware was used to attack companies in the healthcare, energy and finance sectors. Names of affected companies are not disclosed.
“We believe that software vendors become targets for attacks to gain access to their strategic partners and customers, including organizations that support process control systems for global production, transmission and distribution of energy”, – said in the FBI note that was published last week.
Kwampirs was first described in a Symantec report in April 2018. At that time, experts wrote that the hacker group Orangeworm used Kwampirs to attack supply chains, and the group’s goals were mainly companies that supplied software for the healthcare sector.
According to researchers, the Orangeworm group has been active at least since 2015.
Looking at the list of victims, the researchers concluded that the medical industry is the main target of criminals, and many logistics companies and IT companies were also compromised as part of a massive attack on the supply chain. So, these companies are also engaged in the development and supply of solutions for the healthcare sector.
Experts believed that the ultimate goal of the attackers could be the theft of patents of medical organizations and their subsequent resale on the black market.
Lab52’s report, released a year earlier, in April 2019, fully confirmed Symantec’s findings.
However, an FBI warning states that attacks using Kwampirs malware are evolving, and now more likely to target ICS companies, and especially the energy sector.
If earlier researchers did not associate Orangeworm with any particular country, the FBI claims that the new data and the study of the Kwampirs source codes suggest that the trojan is very similar to the notorious Shamoon wiper developed by the Iranian hack group APT33.
Here it is worth recalling that recently, US Homeland Security just warned that they expect an increase in number of attacks by Iranian government hackers against structural objects and companies in the United States.
“Although the Kwampirs RAT did not have a wiper component, a comparative forensic analysis showed that the Kwampirs RAT looked a lot like the Disttrack malware for data destruction (usually known as Shamoon)”, – writes FBI.
Shamoon malware was used in multiple data destruction attacks against companies in the energy sector and, in particular, in oil and gas fields.
According to reports of information security experts, recently government hackers attacked companies more often.
The FBI urged companies to scan networks for any signs of Kwampirs and report about any infections.