Palo Alto Networks’ Unit 42 finds previously unknown tools used in attacks on transportation and shipping firms in Kuwait
Security researchers have uncovered previously unknown tools used in attacks on transportation and shipping organisations based in Kuwait, along with clues that may link the most recent attacks to incidents that occurred last year.
The cyber-incidents come at a time of heightened tensions in the Middle East, which have recently resulted in attacks on tankers and an oil refinery.
Palo Alto Networks’ Unit 42 said it had observed attacks taking place in May and June 2019 that made use of a backdoor tool named Hisoka.
The company said mid-2019 attacks were “likely” to be related to others carried out in July to December 2018.
The earlier attacks used a tool called Sakabota that appears to be an earlier version of Hisoka.
Both names are derived from the Japanese anime series Hunter x Hunter, leading Palo Alto to name the campaign xHunt.
“Our analysis of the two campaigns revealed that Sakabota is the predecessor to Hisoka, which was first observed in May 2019,” Palo Alto said in an advisory.
Sakabota’s code also appears to be the basis for the other attack tools used in both attack campaigns, which include Netero, Killua and Gon, the firm added.
The 2018 attacks have also been reported by IBM’s X-Force IRIS security group.
“The Hisoka backdoor tool shares a significant amount of code from Sakabota, which is what leads us to believe that Hisoka evolved from Sakabota’s codebase,” Palo Alto said.
“The number of functions and variable names are exactly the same in both Sakabota and Hisoka, which infers that the same developer created both and spent little effort trying to hide this lineage.”
Palo Alto said it also found shared code used in Sakabota and the other tools used in the 2019 campaign.
The Hisoka backdoor was observed downloading other attack tools, including Gon, which allows the attacker to scan for open ports on remote systems, upload and download files, take screenshots, access other systems on the same network, run commands and create a Remote Desktop Protocol (RDP) function.
The features allow attackers to monitor the system’s activities and steal files and data, Palo Alto said.
A later version of Hisoka was detected adding more features, indicating its creators are actively developing the software.
Some of the infrastructure used by Hisoka, Sakabota and Gon shows potential overlaps with a hacking operation known as OilRig, APT 35 or Helix Kitten, which has been connected to Iran, according to Palo Alto.
IBM X-Force has also linked recent cyber-attacks in Kuwait to Iran.
But Palo Alto said the shared infrastructure doesn’t necessarily mean OilRig is connected to the xHunt attacks.
The company said it also remains unclear whether the 2018 and 2019 xHunt attacks were in fact carried out by the same operators.
“Due to these overlaps and the focused targeting of organisations within the transportation and shipping industry in the Middle East, we are tracking this activity very closely, and will continue analysis in order to determine a more solid connection to known threat groups,” the firm said.
The company provided indicators of compromise in a GitHub repository.