A mysterious set of hackers has in recent months launched data-stealing attacks against Azerbaijan government officials and companies in the country’s wind industry, researchers from Cisco Talos said Thursday.
The attackers are using a new hacking tool, whose code is littered with references to English playwright William Shakespeare, to try to gain remote access to target computers and exfiltrate data automatically.
The allusion to Shakespeare is an enigma, as is the culprit. What is clear is that Azerbaijan faced a concerted effort to steal data from sensitive assets in and out of government.
The hackers mimicked the Azerbaijani government’s email infrastructure in a likely attempt to pluck login credentials from officials. “The actor monitored specific directories, signaling they wanted to exfiltrate certain information on the victims,” Talos researchers said in a blog post.
The hackers have also shown an “interest” in the control systems, known as Supervisory Control and Data Acquisition (SCADA) systems, used in wind turbines in Azerbaijan, according to Talos. The researchers declined to detail the activity they observed involving SCADA systems.
Azerbaijan — an oil-rich country wedged between Iran and Russia — has recently made big investments in wind energy. Companies from Saudi Arabia and the United Arab Emirates will invest $400 million in large wind and solar projects, Azerbaijan’s energy minister said in February.
It is unclear how many of the attacks were successful. A spokesperson for the Azerbaijan government did not respond to a request for comment.
“We can gauge their attacks as purely espionage-focused for now but they could have easily taken enough information, credentials and important files to be able to carry out further activities such as ransom[ware] attacks,” Talos threat researcher Warren Mercer told CyberScoop in an email.
Like many hacking campaigns in recent weeks, the hackers who hit Azerbaijani organizations worked the novel coronavirus pandemic into their attacks. A document purporting to be a government count of COVID-19 cases was laced with malicious code.
For now, the cyber activity has stopped, Mercer said. But new malware, and perhaps a new hacking group, is on the radar of cybersecurity teams.