German Federal Office for the Protection of the Constitution warns of Chinese hacker attacks on German companies - ongoing cyber attack on gas station supplier Oiltanking
by Tina Siering
What exactly is the Federal Office for the Protection of the Constitution warning about?
On its website, the Federal Office for the Protection of the Constitution (BfV) published a message in January explicitly warning against targeted cyberattacks on German companies. The warning is very specific and speaks of targeted espionage attacks on commercial enterprises. The BfV advises to be particularly vigilant at present and to intensify the search for compromised systems. The BfV also provides detection rules and technical indicators to help detect systems that have already been infected.
What attack vector are the hackers using?
The Federal Office for the Protection of the Constitution says that a variant of the HyperBro malware is being used in the current attacks. HyperBro belongs to the class of remote access tools (RAT). This type of malware gives external people outside the network unnoticed access to systems after a successful infiltration.
The attackers use two methods to infect the target systems. According to the BfV, they use security vulnerabilities in Microsoft Exchange servers and Zoho AdSelf Service Plus1 software. CISA, the U.S. Cybersecurity and Infrastructure Security Agency, had already warned of attacks via these vulnerabilities in mid-September 2021.
Attacks via the vulnerabilities in Microsoft Exchange have been known since spring 2021. To all appearances, some of these attacks are also related to the current wave. This also shows the long-term impact that zero-day exploits have on network security. The gap in Microsoft's Exchange servers belongs to this category of vulnerabilities. Even companies that immediately applied the available patch potentially fell victim to an attack in the spring of 2021. If attackers compromised the network unnoticed via the gap at that time, then access may still exist today. This is regardless of whether Microsoft Exchange and Zoho AdSelf software have been patched or are possibly no longer in use at all. The attackers no longer need these gaps or the software once they have put their remote access tool in place.
Who is behind the attacks?
The BfV suspects that the cyberattack group APT27 is behind the current wave. APT is an abbreviation for Advanced Persistent Threat, a group that specializes in targeted and complex attacks in cyberspace. The group is also known as Emissary Panda. APT27 has been active since at least 2010. In the past, the group has been credited with cyberattacks on embassies of various states as well as companies. In these cases, APT27 spied on information. The targets of this group include energy companies, military technology companies or aerospace companies. IT security experts assume that APT27 operates from China and has a connection to the country's government apparatus.
The latest victim?: the tank logistics company Oiltanking
In fact, there are clear indications that the Federal Office for the Protection of the Constitution did not issue the warning without reason. On January 31, it became known that the tank logistics company Oiltanking had been the victim of an attack by cybercriminals. This attack disrupted parts of its core business. Also affected is the petroleum trader Mabanaft, which belongs to the same corporate network as Oiltanking.
At the companies, the cyberattack has blocked the loading and unloading of tank farms. According to Oiltanking, these parts of the operational business are automated and are now impossible to do manually. Impacted are 13 larger tank terminals from which Oiltanking supplies service stations and companies, including Shell. In some cases, it is also not possible to accept card payments or adjust prices at the affected service stations.
What goals are the attackers pursuing with the current attacks?
The Federal Office for the Protection of the Constitution is speculating to some extent about the exact targets of the current wave. However, some conclusions can be drawn from the analysis of affected systems. For example, German companies from the pharmaceutical and technology sectors are the main focus of APT27's attacks. Supply chain attacks have also been observed. These are more extensive attacks on companies in the supply chain. Starting from the initial attack on a specific company, the hackers infiltrate other companies that have business relationships with the original target.
It is also not entirely clear what the attackers' goals are. The HyperBro remote access tool gives the hackers wide-ranging powers in the compromised networks. So far, however, the attackers have made a point of remaining undetected. Accordingly, the BfV assumes that the theft of trade secrets and intellectual property is the focus of the hackers. In some cases related to the current wave, the theft of data has already been proven.
However, a remote access tool like HyperBro gives attackers many more options than the data theft option. It is possible to take complete control of a system. The attackers are able to take screenshots of the screen contents in real time or even create audio and video recordings if the system is connected to a camera or a microphone. Likewise, such malware gives attackers the opportunity to reload additional malware. RATs are in many cases a gateway for ransomware attacks. Thus, these remote access tools give the attackers a lot of power over the infected systems.
What options are available to companies to defend themselves?
The first step is to download the information from the website of the Federal Office for the Protection of the Constitution. The BfV provides a list of IP addresses that belong to the network of the cyberattack group APT27 or are used to control the remote access tool HyperBro. These are so-called control servers that belong to the hackers.
Through these command and control servers, the attackers keep the connection to the infected systems, steal data or continue spying on the network. Using this IP list, it is first possible to check whether the logs on the network as well as on certain computers contain matching entries. If so, this indicates an infection with HyperBro. In addition, the list allows to block these IP addresses via the firewall. Thus, the hackers' access to their remote access tool is interrupted for the time being.
However, blocking the IP addresses does not provide complete protection. If the hackers access the malware via another server, communication is possible again. Also, the hackers already have the possibility to change the IP addresses of their servers after the BfV made the addresses public.
For this reason, it is important to act proactively. First and foremost, this includes implementing systems that are capable of detecting the activity of hackers or malware such as a remote access tool on one's own network. These are so-called early attack detection solutions. Such systems are capable of detecting unusual actions on the network. Early attack detection accesses log data generated by routers, computers and other network components. Among other things, the IP address and information about the type of communication appear in these log files. This includes communication that takes place between the hackers' command and control servers and an infected system. In addition, early attack detection is also an essential component of cyber defense in general, and is not only used to defend against the current APT27 threat.
Conclusion on the BfV's current warning against cyber attacks
Foremost, the warning from the Federal Office for the Protection of the Constitution should be taken seriously by every company in Germany. It is important to use this opportunity to check your own network and IT security again. The focus here is on any gaps in the defenses as well as checking whether the network may have been compromised.
In addition, the situation also shows the challenges that companies are facing. In small and medium-sized enterprises, a few people, if not a single person, are often responsible for IT security. This contrasts with long-lasting risks from security vulnerabilities and zero-day exploits, the threat of undetected activity on the network, and the threat of cybercrime. Here, it is now not only everyday cyber threats or hackers with financial interests that are responsible for the threat situation. Meanwhile, as in the current case, organizations such as APT27 are also active, whose goals and backgrounds are not clear. Every company is a potential target for all these actors.
Further complicating the situation is the dependence on digital systems that has arisen as a result of advancing digitization. This can be seen in the case of Oiltanking, where day-to-day business comes to a complete standstill due to a cyberattack. Companies therefore have no choice but to give IT security top priority, because cyberattacks have the potential to block the entire business operation from one second to the next.