OTORIO Finds Iranian Connection in Recent Industrial-focused Ransomware

OTORIO Finds Iranian Connection in Recent Industrial-focused Ransomware

28 Jan 2020

SNAKE is a new strain of ransomware aimed at disrupting the activity of Industrial Control Systems (ICS). Researchers from OTORIO have uncovered a connection between this ransomware and a recent attack by Iranian hackers on one of the largest oil producers in the Middle East. Snake was previously reported by MalwareHunterTeam and Vitali Kremez of SentinelLabs on January 8th, 2020.

Like most ransomware, Snake encrypts programs and documents on infected machines. To prevent recovering the encrypted files from archives, Snake removes all file copies from infected stations, leaving the victims no choice but to pay the ransom or lose the data. Most importantly, Snake searches for hundreds of specific programs, including various Industrial Control Systems oriented processes, in order to terminate them and allow it to encrypt their files.

Snake uses a termination list that is almost identical to that of the MegaCortex ransomware, first discovered in mid-2019. However, Snake focuses on hundreds of specific processes, many of which target ICSs. More specifically, a majority of the targeted ICS processes belong to General Electric. The meaning of this is that the target of the attack employs GE equipment in its network. OTORIO researches found one very likely candidate: Bahrain’s leading national petroleum company, BAPCO. This was corroborated by the email listed in Snake’s ransom message: [email protected].

“The potential damage of a Snake attack is significant,” says Dor Yardeni - Head of Incident Response and Threat Hunting at OTORIO. “Deleting or locking targeted ICS processes would prohibit manufacturing teams from accessing vital production-related processes including analytics, configuration, and control. This is the equivalent of both blindfolding a driver and then taking away the steering wheel".

In addition, Snake stops a critical networking process in the GE Digital Proficy server. This industrial gateway enables the connectivity to Proficy HMI/SCADA, MES, and EMI. Without it, operational teams would not just be driving blind - they’d also be deaf and dumb.

This is not the first time that BAPCO falls prey to a targeted cyberattack. Recently it was reported that Iranian state-sponsored hackers have deployed a data-wiping malware dubbed Dustman on BAPCO’s network. It’s no coincidence that these two attacks come in short proximity of one another. Iran has targeted its neighbors’ industrial infrastructure more than once. Furthermore, Iran’s hackers are known to learn from the capabilities and actions of others and to copy and utilize them to their advantage. Using an already “proven” malware (i.e. MegaCortex) and honing it (to target ICSs) is a hallmark of the operation methods of Iranian hackers (see our most recent blog: “Why We Need to Prepare for an Iranian Attack on ICS”). This makes Iran not only the immediate suspect – but a highly likely one as well.




OTORIO is an industrial-native cyber and digital risk-management solutions provider. OTORIO’s automated Digital Risk-based Maintenance solution aggregates threat data analysis to provide deep insights into industrial control systems, identifying risks, and mitigating them before they can cause damage. OTORIO empowers industrial companies to implement, automate, and operate secure production, making way for a safer, more reliable, and productive industry.