African Electric Utility Targeted With DroxiDat MalwareAttack Underscores Critical Infrastructure Vulnerabilities
A Russian-speaking ransomware-as-a-service operation may be responsible for deploying malware onto the network of an electric utility in southern Africa in an attack researchers said underscores heightened risks of industrial ransomware attacks.
An unknown actor deployed a variant of commodity malware SystemBC dubbed DroxiDat along with Cobalt Strike onto the utility, leading researchers at Kaspersky to attribute the attack - with low confidence - to a financially motivated threat actor known as FIN12 and Pistachio Tempest, which was previously tracked as DEV-0237.
The incident was likely the initial stages of a ransomware attack, Kaspersky said.
Worries about cyberattacks against the energy sector, whether for profit or by nation-states, spiked following Russia's February 2022 invasion of Ukraine. Cybersecurity firm Mandiant in May identified a new strain of Russian operational technology malware and warned that it could cause electric power disruption in Europe, the Middle East and Asia. Cyber experts in the United States have voiced mounting concerns over China as a growing threat to electric infrastructure. A 2019 survey of the global energy sector cited by Kaspersky finds that more than half of respondents reported "at least one attack involving a loss of private information or an outage in the OT environment in the past 12 months."
SystemBC is a proxy and remote administrative tool first spotted in 2019. It's most famous application to date likely was in the DarkSide ransomware-as-a-service attack on Colonial Pipeline, the American oil distributor whose ransomware-induced outage caused consumer shortages of gas throughout the Southern and mid-Atlantic regions of the United States (see: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack).
Other indicators pointing to FIN12 include using the Windows performance logs folder
C:perflog for storage and past ransomware incidents involving Cobalt Strike that share the same license ID, staging directories and sometimes the same command-and-control infrastructure.
SystemBC is widely used by different ransomware groups and is often distributed through the Emotet botnet or the SmokeLoader backdoor.
The latest variant is much more compact - 8 kilobytes in size - than previous SystemBC versions, Kaspersky found. Coders behind DroxiDat removed most of the malware's functionality, leaving it "a simple system profiler - its file name suggests its use case as 'syscheck.exe.'" DroxiDat does not download and execute new modules. It "can connect with remote listeners and pass data back and forth, and modify the system registry."
The Kaspersky researchers said the southern African utility hackers deployed DroxiDat and System BC on system assets also targeted by affiliates of the DarkSide group in a 2021 ransomware attack against Brazilian energy companies Eletrobras and Copel.