While it may not directly affect the manufacturing automation sector, it just goes to show companies need to remain vigilant because there was a long-running cyber espionage campaign targeting defense contractors, telecommunications firms and educational institutions for over three years.
The attack nicknamed “Volatile Cedar” uses a custom-made malware Trojan implant codenamed Explosive, said analysts at Check Point Software Technologies’ malware and vulnerability research group.
This campaign has successfully penetrated a large number of targets across the globe and allowed attackers to monitor victims’ actions and steal data, Check Point researchers said.
The first evidence of Explosive ended up detected in November 2012, with several versions since. Check Point analysts believe Volatile Cedar to be a highly targeted and well-managed campaign, perhaps nation state run. Its targets end up carefully chosen, confining the infection spread to the bare minimum required to achieve the attacker’s goal while minimizing the risk of exposure.
Check Point regional security engineer director A/NZ, Phillip Dimitriu, said the operation was very sophisticated.
“I like it, I think it’s clever. It extracts the information using key-logging, using clipboard logging, run commands and shell scripts to essentially collate information from multiple sources.
“Where there are massive amounts of information to be extracted, the attacker sets up SSH tunnels to connect to the appropriate control server and take the information away. The elements of information that have been made available shows that the attack does not appear to be financially motivated and instead is focused on extrapolating information.”
Check Point head of incident response and threat intelligence, Dan Wiley, described the series of attacks as interesting.
“This is one face of the future of targeted attacks: Malware that quietly watches a network, stealing data, and can quickly change if detected by antivirus systems. It’s time for organizations to be more proactive about securing their networks.”