Dragos finds several automotive manufacturing organizations targeted in potential Conti ransomware activity

Industrial cybersecurity firm Dragos identified consistent network communication between Emotet Command and Control (C2) servers and numerous automotive manufacturing companies. The Emotet servers are suspected to be controlled by the Conti ransomware group and have been recognized as a malware strain and a cybercrime operation, which has precipitated ransomware events in the past.

Analysis of the network telemetry from the C2 nodes highlighted continued communication to and from automotive-related organizations in North America and Japan, Josh Hanrahan, senior adversary hunter at Dragos, wrote in a company blog post. The targeting included but was not limited to three of the world’s top automakers, a key domestic supplier to one of the world’s top automakers, and an automotive component manufacturer, he added.

“Not only did victims exhibit network communication consistent with C2 activity to one IP address, but some victims were communicating with many of the C2 IP addresses,” according to Hanrahan. “This indicates that initial access footholds into these victim’s networks were well established and have multiple backup controllers if some were to go offline.” 

Dragos has contacted the organizations affected and advised them to enact their incident response playbooks for ransomware events, it added. 

The company also investigated the Internet Protocol (IP) addresses detailed on Twitter by the user ‘@ContiLeaks,’ according to Hanrahan. “This user appears to be someone with potential insider knowledge of the Conti ransomware group who is leaking information due to disagreeing with Conti’s public support of the Russian invasion of Ukraine,” he added.

The Hanover, Maryland-headquartered company examined the IP addresses in the tweets and noted copious amounts of communication to confirm Emotet C2 nodes. It also observed numerous automotive organizations across North America and Japan frequently communicating with the Emotet C2 servers.

“At this stage, Dragos has not yet observed any confirmed initial access methods being utilized and does not have any evidence of ransomware encryption being initiated,” according to Hanrahan. “The observed communications from the networks are consistent with those commonly associated with established footholds. Dragos observed this activity starting in December 2021, but it may have begun prior to that. It has been ongoing until March 2022,” he added.

Hanrahan said that if the systems located in levels 2 to 3 of the Purdue Model such as engineer workstations, historians, or SCADA (supervisory control and data acquisition) systems suffer a ransomware infection, the impact on industrial operations can be severe. “Additionally, any ransomware infection occurring on systems in Level 4 of the Purdue model such as Domain Controllers, File Servers or Web Servers can sever key business processes that industrial operations may be reliant upon,” he added.

The Dragos information comes at a time when ransomware attackers have breached networks at the German business unit of automotive company Toyota’s supplier Denso, though production and business activities were not affected. The Denso attack was the second confirmed cybersecurity incident against a Toyota supplier. In the latest attack, operations were targeted by hackers following unauthorized access using ransomware at Denso Automotive Deutschland GmbH, marking the latest in a series of cyber attacks and potential disruptions for the giant carmaker.

Japanese automaker Toyota earlier this month discontinued operations at its domestic plants for a day, following ‘system failure’ at one of its domestic suppliers brought about by a suspected cyberattack. At present, there are no known reports of disruption to Toyota operations and production units. However, given the nature of supply chain attacks, it cannot be ruled out that Toyota is not being targeted.

Researchers from TXOne Networks said last month that as of December 2021, Emotet and Conti both have resurfaced using advanced exploitation of the Log4Shell vulnerability to accomplish their goals. The BlackMatter ransomware includes tools and techniques from the Darkside, REvil, and LockBit 2.0 ransomware families, it added.

Last week, U.S. security agencies updated a previously issued joint cybersecurity advisory on malicious operations carried out by Conti ransomware hackers against domestic and international organizations. The amendment includes newly identified indicators of compromise (IOCs) made up of nearly 100 domain names and adds the United States Secret Service (USSS) as a co-author.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.