Security News > 2021 > October > A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries
A previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks.
"The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method [], the ChamelGang group was able to achieve its goal and steal data from the compromised network."
The attack in March is also notable for the fact that the operators breached a subsidiary organization to gain access to an unnamed energy company's network by exploiting a flaw in Red Hat JBoss Enterprise Application to remotely execute commands on the host and deploy malicious payloads that enable the actor to launch the malware with elevated privileges, laterally pivot across the network, and perform reconnaissance, before deploying a backdoor called DoorMe.
"The infected hosts were controlled by the attackers using the public utility FRP, written in Golang," the researchers said.
On the other hand, the August attack against a Russian company in the aviation production sector involved the exploitation of ProxyShell flaws to drop additional web shells and conduct remote reconnaissance on the compromised node, ultimately leading to the installation of a modified version of the DoorMe implant that comes with expanded capabilities to run arbitrary commands and carry out file operations.
"Targeting the fuel and energy complex and aviation industry in Russia isn't unique - this sector is one of the three most frequently attacked," Positive Technologies' Head of Threat Analysis, Denis Kuvshinov, said.