Iran: Researchers from Recorded Future observed evidence of the Remote Access Trojan PupyRAT targeting the European energy sector. Although the researchers could not attribute the attack to a specific threat group, they noted that the Iran-backed threat group APT 33, also known as Elfin, has previously used PupyRAT to target critical infrastructure. It is assumed the threat actors are using these network intrusions for reconnaissance and to collect sensitive information about the organizations and industry as a whole. The group used publicly available tools to carry out their attacks including PupyRAT, a tool used for defensive red-teaming exercises across the security industry. PupyRAT is an open-source project written in Python that can operate on Windows, Linux, macOS, and Android. APT 33 has used the tool in the past, which is why analysts have suggested that this could be the work of the Iranian threat actors. Recorded Future saw a PupyRAT command and control (C2) server that was communicating with a mail server from a European energy sector organization. Although this does not imply a compromise, the repeated communications from the C2 server and the mail server indicate an intrusion is likely.
Because Iranian actors have used this tool in the past and the interest Iran has in the energy sector of Europe, it is possible that this is the work of Iranian actors. However, further information is necessary before drawing a conclusion about attribution, and it is important to consider the possibility of a “false flag” operation. Regardless of the attribution, it is important for defenders of critical infrastructure to be aware of the threat. PupyRAT can be defended against if organizations monitor for sequential login attempts from the same IP against different accounts, use multi-factor authentication and ensure all passwords being used are complex and unique to the user and the product. Utilizing a monitoring service on endpoints to detect an intrusion by analyzing attacker behaviors is another way to quickly stop an attack, even if it evades traditional anti-virus defenses. Binary Defense offers its Managed Detection and Response software in conjunction with 24/7/365 SOC monitoring to detect and contain attacks before they move throughout a network. The whole Recorded Future report can be read here: https://www.recordedfuture.com/pupyrat-malware-analysis/