FBI warned private sector companies on an active hacking campaign targeting software vendors. Attackers seek to compromise the supply chain by infecting the developers with the Kwampirs Trojan.
“We believe that software vendors are targeted for attacks to gain access to their strategic partners and customers, including organizations that support process control systems for the global production, transmission and distribution of energy,” the FBI said last year. week.
The FBI also reports that the same malware was used to attack companies in the health, energy and finance sectors. Names of affected companies are not disclosed.
Kwampirs was first described in a Symantec report in April 2018. At that time, experts wrote that the hacker group Orangeworm used Kwampirs to attack supply chains, and the group's goals were mainly companies that supplied software for the health sector.
According to researchers, the Orangeworm group has been active since at least 2015. Looking at the list of victims, the researchers concluded that the medical industry is the main target of criminals, and many logistics companies and IT companies were also compromised as part of a massive attack on the supply chain. So, these companies also engaged in the development and supply of solutions for the healthcare sector. Experts believed that the ultimate goal of the attackers could be the theft of patents of medical organizations and their subsequent resale on the black market.
Company report Lab52, released a year later, in April 2019, fully confirmed the findings of Symantec.
However, the FBI warning states that attacks using Kwampirs malvari are evolving, and are now more likely targeted at ICS companies, and especially the energy sector. And if earlier the researchers did not associate Orangeworm with any particular country, the FBI claims that the new data and the study of the Kwampirs source codes suggest that the Trojan is very similar to the notorious Shamoon viper developed by the Iranian hack group APT33.
“Although the Kwampirs RAT did not have a wiper component, a comparative forensic analysis showed that the Kwampirs RAT looked a lot like the Disttrack malware for data destruction (usually known as Shamoon),” the FBI writes.