Back to Blog
Sqlpro malware6/30/2023 ![]() ![]() PieHop is then run on the PC to upload LightWork to the server, which sends disruptive commands to connected industrial devices. ![]() To pull off an attack, an intruder would need to infect a PC within a power supplier's network, find a Microsoft SQL Server on the network that has access to operational equipment, and obtain the login details for that box. LightWork's executable is deleted immediately after it's used by PieHop. LightWork, written in C++, does the actual work of sending on or off commands to connected industrial equipment via the IEC-104 protocol. Judging from Mandiant's findings, PieHop uploads LightWork to the server and runs it. It appears PieHop needs to be supplied the IP address and credentials of that database server some homework therefore needs to be done by an attacker to make use of the tool. ![]() It connects to a MSSQL server and uploads files to that machine. PieHop, written in Python, is expected to run on a compromised host within a target's network. The malware has two components, which Mandiant calls PieHop and LightWork. "But US defenders can still learn about the overall attack strategy," he added. Russian IT guy sent to labor camp for DDoSing Kremlin websitesĪs IEC-104 is generally not used in the US, which more commonly uses Distributed Network Protocol 3 (DNP3), this malware variant doesn't pose a direct threat to American power grids and other industrial control systems, Lunden said.Five Eyes and Microsoft accuse China of attacking US infrastructure again.Ukraine fears 'massive' Russian cyberattacks on power, infrastructure.Ukraine's cyber chief comes to Black Hat in surprise visit."OT asset owners leveraging IEC-104 compliant devices should take action to preempt potential in the wild deployment of CosmicEnergy." "Given that threat actors use red team tools and public exploitation frameworks for targeted threat activity in the wild, we believe CosmicEnergy poses a plausible threat to affected electric grid assets," the Mandiant researchers said in research published today. And it shares capabilities with 2016's Industroyer, a particularly dangerous type of Russian malware that can directly control electricity substation switches and circuit breakers, as well as its successor, Industroyer v2, which Ukrainian threat hunters discovered after Russia's invasion last year.īoth of these variants have been deployed to impact certain electricity transmission and distribution systems, we're told. ![]()
0 Comments
Read More
Leave a Reply. |