The Week in Security: Russian hackers targeted U.S. gas and electric, malicious PyPI packages show prowess

This week: Russian-linked hackers had U.S. critical infrastructure in the crosshairs with powerful malware. Also: 400 malicious packages found on PyPI demonstrate prowess.

This Week’s Top Story

Russian hacking group Chernovite targeted U.S. electric and gas facilities with PIPEDREAM malware

Advanced industrial control system malware linked to a Russian state actor was being readied for attacks on electric and liquid natural gas facilities in the U.S. and Europe in the early stages of Russia’s war on Ukraine - a disaster that was narrowly averted, according to Robert M. Lee, the CEO of Dragos, a company that specializes in industrial control system cybersecurity.

In a press briefing, Lee said that the Russian-linked hacking group known as “Chernovite” used the PIPEDREAM malware to try and take down “around a dozen” U.S. electric and liquid natural gas sites. Lee did not share with reporters why the attack wasn’t successful, but did share that the actors behind PIPEDREAM were “getting very close” to pulling the trigger on the operation at the time it was discovered and thwarted.

The PIPEDREAM malware, which first came to light in April of 2022, is unique because it is capable of working across industrial control system and SCADA platforms. In contrast, previous ICS focused malware was constrained to working with a specific ICS platform and type of facility, Lee told reporters. Researchers at Mandiant subsequently linked the PIPEDREAM malware and Chernovite to Russia.

While the Russian-linked Chernovite group did not successfully attack the 12 electric and gas sites, their move sets a dangerous precedent for the use of critical infrastructure as a target for international conflict. The increased risks of attacks prompted the Cybersecurity and Infrastructure Security Agency (CISA) to launch its "Shields Up" program in 2022, urging organizations to "adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets" and providing resources to help critical infrastructure owners respond to cyber threats.

Though that attack was averted, Russian-linked actors still pose a threat to the U.S. and other major countries. According to Lee, “Chernovite is still active” and PIPEDREAM is still an effective platform from which to launch attacks, which means the group will plan on developing the malware and their attack strategy to deploy it at some point in the future.

News Roundup

Here are the stories we’re paying attention to this week…

Latest attack on PyPI users shows crooks are only getting better (ArsTechnica)

More than 400 malicious packages were recently uploaded to PyPI (Python Package Index), the official code repository for the Python programming language. This is the latest indication that the targeting of software developers using this form of attack isn’t a passing fad — and the bad guys are getting better at their craft.

North Korea's APT37 target defectors, human rights groups in South Korea with M2RAT (The Hacker News)

The North Korea-linked threat actor tracked as APT37 has been linked to a piece of new malware dubbed M2RAT in attacks targeting North Korean defectors and human rights groups operated in South Korea, suggesting continued evolution of the group's features and tactics.

City of Oakland declares state of emergency after ransomware attack (BleepingComputer)

Oakland has declared a local state of emergency because of a ransomware attack that forced the city to take all its IT systems offline on February 8th. Interim City Administrator G. Harold Duffey declared a state of emergency to allow the City of Oakland to expedite orders, materials and equipment procurement, and activate emergency workers when needed.

Experts warn of 'Beep' — a new evasive malware that can fly under the radar (The Hacker News)

Researchers at Minerva Labs unearthed a new piece of evasive malware dubbed Beep that's designed to fly under the radar and drop additional payloads onto a compromised host: "It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find."

NPM packages posing as speed testers install crypto miners instead (BleepingComputer)

A new set of 16 malicious NPM packages pose as Internet speed testers but are, in reality, coinminers that hijack the compromised computer's resources to mine cryptocurrency for the threat actors.