The Labs team at malware protection company SentinelOne has discovered a sophisticated malware campaign that's specifically targeting at least one European energy company.
The malware, called SFG, is the mother ship of an earlier malware sample called Furtim, which targets the industrial automation control systems with sophisticated malware and acts as dropper to deliver a payload which could be used to extract data or potentially shut down the energy grid.
The malware has been developed to work on devices running any version of Microsoft Windows and has been carefully designed to bypass traditional antivirus software and firewalls - including those using both static and heuristic techniques. It's also primed to detect when it's being run in a sandbox environment or on systems using biometric access control systems. Where such defenses are detected the software re-encrypts itself and stops working until released from the sandbox in order to avoid detection by security analysts.
Joseph Landry, senior researcher for SentinelOne says, "The software establishes a gateway for something else, whatever that is they wouldn't have to spend as much money on it because SFG has already got past the antivirus, so there are no concerns about whether it will be detected or not".
So far the malware appears to be very specifically targeted, it's looking for one vendor’s access control system software. It's also deliberately designed to avoid affecting machines that are heavily watched by administrators. "The code is very dense and there's no bit of code in there that does something which isn't necessary, it's very concise," adds Landry. It has the hallmarks of previous attacks carried out from Russia but SentinelOne doesn't have evidence to say it's actually from there.
"The malware has all the hallmarks of a nation state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature," says Udi Shamir, chief security officer at SentinelOne. "It appears to be the work of multiple developers who have reverse engineered more than a dozen antivirus solutions and gone to extreme lengths to evade detection, including causing the AV software to stop working without the user being alerted.
"Attacks of this nature require substantial funding and knowhow to pull off and are likely to be the result of a state sponsored attack, rather than a cybercriminal group".
More detailed information on the attack is available on the SentinelOne blog.