While I have reported about software supply chain attacks in the past, they have all been one-off and in some cases highly targeted attacks.
The FBI has issued a warning about ongoing, large scale, software supply chain attacks. The attackers are using the Kwampirs malware to install a Remote Access Trojan or RAT.
The FBI says that the attacks are targeting the victim’s strategic partners and customers (AKA you).
But since just attacking your suppliers is not enough, they are also directly attacking companies in the healthcare, energy and financial sectors directly.
Symantec reported attacks using Kwampirs in 2018 by a group they called Orangeworm.
Symantec also said that Orangeworm had been around since 2015 targeting mostly healthcare, but they said the group had secondary targets including IT, manufacturing, logistics and agriculture.
Lab52 confirmed Symantec’s finding last year.
The FBI issued this alert after all this time because the malware seems to have evolved and is now attacking industrial control systems, especially in the energy sector. That would likely include electric, natural gas, water and wastewater.
While Kwampirs does not, at the moment, seem to wipe systems it invades, it shares a lot of similarities with the Shamoon malware which did wipe infected systems.
Indicators of compromise are available for organizations that detection systems that can use them.