In a recent cyber-attack that took place in a southern African nation, a critical infrastructure power generator fell victim to a sophisticated attack. The attackers employed a new variant of the SystemBC malware and paired it with Cobalt Strike beacons, raising concerns about the potential implications for critical infrastructure security.
Timeline of the attack
The cyber-attack unfolded during the third and fourth weeks of March 2023, highlighting the persistence and determination of the threat actors involved.
SystemBC Malware
SystemBC, a proxy-capable backdoor, has been a recurring component of cybercrime malware sets for several years. Its versatile nature and ability to evade detection have made it a popular choice among attackers. The discovery of a new variant called DroxiDat indicates an ongoing evolution in the tactics and techniques employed by cybercriminals.
Introduction of DroxiDat
The DroxiDat variant of SystemBC exhibits similarities to its predecessors while introducing some unique characteristics. This enhanced version allows the attackers to maintain a covert presence within the compromised network and perform malicious activities with increased efficiency.
Presence of DroxiDat and Cobalt Strike Beacons
During the attack on the critical infrastructure power generator, security researchers detected multiple instances of DroxiDat alongside Cobalt Strike beacons. The combination of these two powerful tools indicates a highly organized and targeted cyberattack, highlighting the sophistication and expertise of the threat actors involved.
Purpose of the Attack
The attackers deployed the DroxiDat/SystemBC payload to collect valuable system information. This could potentially grant them unauthorized access to critical infrastructure systems, enabling them to disrupt operations, cause physical damage, or steal sensitive data. Moreover, the use of a command-and-control infrastructure connected to an energy-related domain raises concerns of a potentially state-sponsored or APT-related attack.
Ransomware Threat
The combination of DroxiDat/SystemBC and Cobalt Strike beacons suggests a possible ransomware threat. DroxiDat’s ability to profile compromised systems and establish remote connections makes it a valuable tool for cybercriminals orchestrating ransomware campaigns. The attackers may have exploited the vulnerabilities they discovered to encrypt critical data, holding it hostage until a ransom is paid.
Attribution Challenges
Attributing cyber-attacks is often a complex and challenging task. In this case, while specific indicators point to the involvement of a Russian-speaking Ransomware-as-a-Service (RaaS) group, definitively attributing the attack remains a challenge. These groups often operate in a clandestine manner, making it difficult to accurately identify the individuals or organizations responsible.
The cyberattack on the critical infrastructure power generator highlights the evolving tactics and techniques employed by threat actors. The use of a new variant of the SystemBC malware, combined with Cobalt Strike beacons, underscores the level of sophistication involved in the attack. The potential implications for critical infrastructure security cannot be overstated, necessitating enhanced measures to defend against such threats. It serves as a reminder that protecting critical infrastructure in the digital age is of paramount importance to ensure the safe and reliable functioning of essential services.