The Nozomi Networks Labs team delivers this semi-annual report to provide insights into how the world’s largest industrial organizations and critical infrastructure operators can protect themselves from these advanced threats. Our threat intelligence, enriched by indicators of compromise, threat actor profiles and vulnerability data from Mandiant, empowers customers to proactively defend their systems.

From the report, “Robotic telepresence is a next-generation technology that allows a person in one location to replicate himself in another. The remote person can see you, hear you, interact with you, and move all around your location. But wait a second! What if the person behind the robot is not who you think he is? What if the robot gets compromised, and now the attacker is watching you and your surroundings? In this whitepaper, all the findings learned while security testing a telepresence robot are presented, as well as the countermeasures implemented by the vendor.”

This report takes a look at a new global campaign targeting nuclear, defense, energy, and financial companies.

This report provides new insights into the Shamoon 2.0 and StoneDrill attacks, including: 1. The discovery techniques and strategies we used for Shamoon and StoneDrill. 2. Details on the ransomware functionality found in Shamoon 2.0. This functionality is currently inactive but could be used in future attacks. 3. Details on the newly found StoneDrill functions, including its destructive capabilities (even with limited user privileges). 4. Details on the similarities between malware styles and malware components’ source code found in Shamoon, StoneDrill and NewsBeef.

Herein we release our analysis of a previously undocumented backdoor that has been targeted against embassies and consulates around the world leads us to attribute it, with high confidence, to the Turla group. Turla is a notorious group that has been targeting governments, government officials and diplomats for years. They are known to run watering hole and spearphishing campaigns to better pinpoint their targets. Although this backdoor has been actively deployed since at least 2016, it has not been documented anywhere. Based on strings found in the samples we analyzed, we have named this backdoor “Gazer”.

There are many reasons to archive data. For too many organizations, “archiving” is immediately presumed to be a cumbersome, unattainable, legacy process that IT had previously deprioritized, while erroneously believing that a “backup copy” held for an extended period of time was a sufficient alternative. Every aspect of that presumption is incorrect—modern archiving is a critical and compelling aspect of nearly every IT organization’s forward-looking strategy.