An Israeli cybersecurity firm has identified a new type of ransomware that it believes was created by Iran and has the ability to lock up or even delete industrial control systems.
Tel Aviv-based Otorio, a cybersecurity firm which specializes in industrial control systems (ICS), said that the ransomware called “Snake,” like others of its kind, encrypts programs and documents on infected machines. But it also removes all file copies from infected stations, preventing the victims from recovering encrypted files.
Snake searches for hundreds of specific programs — including many industrial processes that belong to General Electric — to terminate them and allow it to encrypt the files, Otorio said.
“Deleting or locking targeted ICS processes would prohibit manufacturing teams from accessing vital production-related processes including analytics, configuration and control,” Otorio said in a statement. “This is the equivalent of both blindfolding a driver and then taking away the steering wheel.”
Multiple calls to the Iranian Foreign Ministry went unanswered.
In a statement, a General Electric representative said, “GE is aware of reports of a ransomware family with an industrial control system specific functionality. Based on our understanding, the ransomware is not exclusively targeting GE’s ICS products, and it does not target a specific vulnerability in GE’s ICS products.”
GE would work with customers to provide support as needed, the representative said.
Otorio researchers began investigating the appearance of a new ransomware in mid-December and soon realized it was one of the first designed to target the industrial sector. As they dug further, the researchers found that Bahrain Petroleum Co. — known as Bapco for short – was potentially vulnerable to this new cyber threat.
Not only does Bapco use GE equipment, its name was found in the malware’s code, Otorio said.
“There are findings and fingerprints inside the malware that when taken into account with the circumstances surrounding this campaign make it highly unreasonable that Snake was carried out by a different actor other than Iran,” the Otorio report said.
Boosting the researchers’ confidence that the Snake originated in Iran was an alleged separate attack on Bapco carried out in parallel with the finding of Snake.
“It is highly unlikely that a Gulf-area company will be attacked by two different potent actors, each targeting a different part of the organization at the same time,” the researchers said in an email.
Multiple calls to Bapco went unanswered.
Otorio Chief Executive Officer Danny Bren, former joint chief of cyber defense in the Israeli military, said that an Iranian choice of Bapco as a potential target wouldn’t be incidental.
“The target was picked carefully because they want to change oil prices,” he said. “This is financial warfare. The world is putting a lot of financial tension on Iran and they are reacting with the same tool.”
Former U.S. officials and security experts have expressed concern that Iran may be considering a cyber-attack against the U.S. or its allies after an American airstrike in Baghdad earlier this month killed Qassem Soleimani, the Iranian major general who led the Islamic Revolutionary Guard’s Quds force. Iran holds an arsenal of malware, and Otorio said Snake was likely created before the general’s assassination.
With assistance from Anthony DiPaola and Golnar Motevalli.