An Israeli cybersecurity firm flags an Iranian connection in a new strain of ransomware aimed at disrupting the activity of Industrial Control Systems (ICS).

OTORIO researchers said that Snake encrypts programs and documents on infected machines. Then, to prevent recovering the encrypted files from archives, Snake removes all file copies from infected stations, leaving the victims no choice but to pay the ransom or lose the data. Lastly, Snake searches for hundreds of specific programs, including various Industrial Control Systems oriented processes, in order to terminate them and allow it to encrypt their files.

OTORIO says that Snake uses a termination list that is almost identical to that of the MegaCortex ransomware, first discovered in mid-2019. However, Snake focuses on hundreds of specific processes, many of which target ICSs. More specifically, a majority of the targeted ICS processes belong to General Electric. The meaning of this is that the target of the attack employs GE equipment in its network. OTORIO researches found one very likely candidate: Bahrain’s leading national petroleum company, BAPCO. This was corroborated by the email listed in Snake’s ransom message: bapcocrypt@ctemplar.com.

In a statement, a General Electric representative said, “GE is aware of reports of a ransomware family with an industrial control system specific functionality. Based on our understanding, the ransomware is not exclusively targeting GE’s ICS products, and it does not target a specific vulnerability in GE’s ICS products.”

GE would work with customers to provide support as needed, the representative said.

"The potential damage of a Snake attack is significant" says Dor Yardeni - Head of Incident Response and Threat Hunting at OTORIO. "Deleting or locking targeted ICS processes would prohibit manufacturing teams from accessing vital production-related processes including analytics, configuration, and control. This is the equivalent of both blindfolding a driver and then taking away the steering wheel. In addition, Snake stops a critical networking process in the GE Digital Proficy server. This industrial gateway enables the connectivity to Proficy HMI/SCADA, MES, and EMI. Without it, operational teams would not just be driving blind - they’d also be deaf and dumb."

This is not the first time that BAPCO falls prey to a targeted cyberattack. Recently it was reported that Iranian state-sponsored hackers have deployed a data-wiping malware dubbed Dustman on BAPCO’s network. It’s no coincidence that these two attacks come in short proximity to one another. Iran has targeted its neighbors’ industrial infrastructure more than once. Furthermore, Iran’s hackers are known to learn from the capabilities and actions of others and to copy and utilize them to their advantage. Using an already “proven” malware (i.e. MegaCortex) and honing it (to target ICSs) is a hallmark of the operation methods of Iranian hackers.