The Federal Bureau of Investigation has issued a private industry notification warning organizations across the U.S. that hackers are actively targeting their supply chain partners to compromise their systems.
The security alert sent to the US private sector last week warned that hackers are going upstream infecting supply chain companies with the Kwampirs malware, a Remote Access Trojan (RAT), ZDNet reports.
A snippet of the notice, obtained by the publication, reads:
“Software supply chain companies are believed to be targeted in order to gain access to the victim's strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution.”
The FBI’s information points to nation state-sponsored actors, but the attackers remain unidentified. Nor does the agency name the organizations targeted in the campaign, meaning the warning is being dished out discretely among industry players.
The notice also informs that, besides attacks against supply chain partners, the malware is being deployed in industries like healthcare, energy and financial services.
The document includes indicators of compromise (IOCs) and YARA rules to help IT departments erect defenses against Kwampirs.
According to the Bureau, code analysis of Kwampirs reveals "similarities" with Shamoon, a notoriously dangerous data-wiping malware developed by APT33, a hacking group with ties to Iran.
"While the Kwampirs RAT has not been observed incorporating a wiper component, comparative forensic analysis has revealed the Kwampirs RAT as having numerous similarities with the data destruction malware Disttrack (commonly known as Shamoon)," the FBI said.
Shamoon first made headlines in late 2012 when it was used to attack Saudi Arabia’s state-owned oil company Saudi Aramco. The hackers wiped the data stored on over 30,000 Windows computers owned by the oil company before displaying an image of a US flag in flames.
The US Cyber Command issued a warning last year about an unnamed foreign country’s attempt to spread malware via a vulnerability in Microsoft Outlook.
Security analyst Graham Cluley reported at the time that the alert arrived a little more than a week after the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) had warned of increased activity by Iranian hacking groups, urging U.S. organizations to take proactive measures.