In April’s edition of Phish and Ships, cyber attacks are on the spotlight. Although they are devastating, they are sophisticated and ShadowHammer is here to prove it. Gideon Lenkey, President of Ra Security Systems Inc and Epsco-Ra Maritime Cyber Security, focuses on the importance of cyber security.
Recently, Kaspersky Lab uncovered Shadow Hammer, a malware that presents all of the hallmark traits of an Advance Persistent Threat (APT) effort.
APTs are tracked by numbers and they are thought to be nation state actors. Also, one can identify them by their methods, tools, targets and goals.
As Lenkey reports, APT 38 is attributed to North Korea and targets financial institutions.
The difference on this malware in comparison to the rest, is that it attacks the early stages of the end userʼs product life cycle. Specifically, the attack is on ASUS computers by placing its malware directly in the official update utility distributed by ASUS.
[smlsubform prepend=”GET THE SAFETY4SEA IN YOUR INBOX!” showname=false emailtxt=”” emailholder=”Enter your email address” showsubmit=true submittxt=”Submit” jsthanks=false thankyou=”Thank you for subscribing to our mailing list”]
So, in order to run the software without sticking out like a sore thumb, it has to be digitally signed with a certificate validated from a trusted certificate authority. The certificate identifies the creator of the software as a way for the user to validate the software is genuine. In this case, the attacker stole the certificate and signed their malware so Windows wouldnʼt complain when the user installed it. They also were able to put their trojaned version of the update utility on the official download site. This means that they had either direct access to the servers or access somewhere along the way from the developers to the distribution point.
The Shadow Hammer, in comparison to the attack stated above, differentiates as rather than the malware running on every computer that downloaded the update utility from the ASUS site, the malware only ran on systems with specific MAC IDs. A MAC (Media Access Control) ID is a unique identification number assigned to a network interface such as a WiFi or Ethernet card. Generally speaking, no two are the same. The ShadowHammer malware had a list of 600 MAC IDs which would equate to 600 specific users they were targeting.
This implies that the attacker has a very specific end goal and that they knew their target was in possession of computers that it had narrowed down to a group of 600. It is not known at this time, or if it is it hasnʼt been made public, whether the whole 600 were the target or there was a subgroup within the 600. Either way it implies a sobering level of targeting intelligence.
Moreover, he highlights that malware communicates over the network and that is a crucial threat to a malware’s existence. In other words, he supports that the network has to be monitored. The network is a lot more independent and a better way to detect malicious activity on endpoints.
Concluding, the cyber security specialist urges maritime owners and managers to be informed of this new kind of cyber attack, because at this point it appears to be a nation state actor with a very specific target, these attack methodologies and tools quickly transfer to the criminal element.
