The FBI has sent a security warning to the US private sector about an ongoing hacking campaign aimed at suppliers of supply chain software, ZDNet has learned.

The FBI says hackers are trying to infect companies with Kwampirs malware, a remote access trojan (RAT).

“Software supply chain companies are believed to be the target to access the victim’s strategic partners and / or customers, including entities that support Industrial Control Systems (ICS) for global power generation, transmission and distribution,” said the FBI sent a private industry notification last week.

In addition to attacks against software suppliers in the supply chain, the FBI said the same malware was also used in attacks against companies in the healthcare, energy and financial sectors.

The warning did not identify the intended software providers or other victims.

Instead, the FBI shared IOCs (indicators of a compromise) and YARA rules, allowing organizations to scan internal networks for signs of the Kwampirs RAT used in recent attacks.

Kwampirs malware

The Kwampirs malware was first described in a report published in April 2018 by the American cyber security company Symantec.

At the time, Symantec said a group codenamed Orangeworm had used Kwampirs’ malware to also target supply chain companies that provided healthcare software.

Symantec said that Orangeworm had been in operation since 2015 and focused primarily on healthcare.

“The secondary objectives of Orangeworm include Production, Information Technology, Agriculture and Logistics,” said Symantec at the time. “While these industries may not have anything to do with each other, we have found that they have multiple links to healthcare, such as large manufacturers that produce medical imaging equipment sold directly to healthcare companies, IT organizations that provide support services to medical clinics and logistics organizations that deliver health products. “

A Lab52 report released a year later, in April 2019, confirmed Symantec’s findings and the group’s focus on healthcare.

New attacks seem to be targeting the ICS energy sector

However, last week’s FBI warning specifically warns that attacks with Kwampirs have now evolved to companies in the ICS (Industrial Control Systems) sector, and in particular the energy sector.

In 2018 and 2019, neither Symantec nor Lab52 gave an attribution to the country of origin of the group.

However, the FBI claims that new evidence from code analysis suggests that Kwampirs contains “many similarities” with Shamoon, a notorious malware erasure tool developed by APT33, an Iranian hacking group.

“Although the Kwampirs RAT has not been observed with a windscreen wiper component, comparative forensic analysis has shown that the Kwampirs RAT has many similarities with Disttrack data destruction malware (commonly known as Shamoon),” the FBI said.

The Shamoon malware has been used in multiple data vein attacks on companies in the energy sector, and more specifically in the oil and gas fields (1, 2, 3).

The FBI encouraged companies to scan networks for signs of Kwampirs and to report infections.