The Federal Bureau of Inquiry confirmed today that the attack earlier this week on the Blew Bayou polymer facility used a new version of the SolarFlare malware that was originally delivered as part of the 2019 Sunburst campaign. “There have been substantial modifications to the malware,” Johnathan Quest, FBI spokesperson, told reporters this morning; “Enough changes in language and syntax that we are not sure if this was produced by the original team or a completely different attacker.”
Kate Libby, a researcher at Dragonfire Cyber that has been working with the FBI on the Blew Bayou investigation, told reporters that the malware was introduced into the polymer control system via a sophisticated phishing attack. “A personal email to the process control engineer directed her to go to the Robotron web site to see a new product introduction,” Libby explained; “The engineer did not click the link in the email but used an existing link from her system to get to the Robotron web site. While on the site she clicked on one of those ubiquitous check boxes accepting site cookies. That action downloaded the malware.”
Erich Mielke, spokesperson for Robotron, confirmed that the company’s web site had been hacked to set up the drive by download. “We use a web privacy compliance company, Datenshutz, to handle all of our website regulatory compliance activities,” Mielke explained; “They were responsible for the cookies notification application on our site. We have been assured that they have corrected the problem.”
Helga Brache, spokesperson for Datenshutz, confirmed that the company was responsible for the application on the Robotron site. “We are currently investigating how the malware download was inserted into our application. We do not believe that any other sites have been affected at this time.”
Libby urged anyone that had visited the Robotron site over the last six months to have their systems checked for the presence of the SolarFlare malware. “The indicators of compromise that were published by CI-SOC for the original malware still apply to the new version,” Kate explained to reporters.
Quest told reporters that the FBI investigation was still progressing. “We are continuing to follow leads and hope to identify the perpetrators of this attack in the coming days,” he explained; “If you have any indications that your systems have been compromised via the Robotron web site, please contact your local FBI office.”
No comments:
Post a Comment