Ransomware Reportedly Linked to Iranian Strategic Interests Observed Targeting ICS in Middle East

Posting ID 122486
Date Added: 01/30/2020 11:32 AM EST
Date Modified: 01/30/2020 11:35 AM EST
Jeff Jones | E-ISAC Staff


The E-ISAC has been tracking- and previously reported on- the continued uptick in reports of impacts from ransomware over the latter half of 2019. While most of these reports focused on impacts to IT networks, the E-ISAC (and others in the ICS security community) has recommended strategies and considerations for protecting OT networks and systems against ransomware. Previously observed impacts to IT networks have ranged from nuisance to data destruction and complete enterprise outages, and potential impacts of destructive ransomware in OT networks could be catastrophic depending on system sensitivity and severity of infection.

Up to this point, the E-ISAC has not been aware of any ransomware specifically targeting ICS. On January 28, 2020, Bloomberg (and other media outlets) have reported [hXXps://www.bloomberg.com/news/articles/2020-01-28/-snake-ransomware-linked-to-iran-targets-industrial-controls] that Israeli cybersecurity firm Otorio has observed a new strain of ransomware targeting ICS functionality and processes at Bahrain Petroleum Co. (Bapco) in the Middle East. The article mentions that the malware targets “many industrial processes that belong to General Electric Co.”, but a GE representative claims that based on their understanding, the malware does not exclusively target a specific vulnerability in their products.

Otorio has named the ransomware “Snake”, and links some of the behavioral and technical details to known threat actors aligned with Iranian strategic geopolitical interests in the region.

At this time the E-ISAC has no new reports of activity matching the ransomware threat described in this Bulletin, or a specific threat to the energy sector as a result. However, discoveries of threats specifically targeting ICS and OT environments continue to increase and are of concern for asset owners and operators. The E-ISAC encourages members to familiarize themselves with information about these threats so that they can collaborate with system owners, administrators, and defenders to make certain that appropriate visibility is in place to make risk-based decisions to protect their critical assets.

The E-ISAC encourages members to share with the E-ISAC any abnormal activity they may observe in their IT or OT environments. This information can help the energy sector community assess the breadth of adversary activities, develop trends, and improve understanding of threat actor TTPs.

Bulletin Type:
Cyber Bulletin
Category Type:
Cyber Security
Situation Awareness
TLP - White
Shared Count (26)
  • Advanced Portal Users Group
  • ANL
  • Canadian CERTs
  • CRISP - Cyber Risk Info Sharing Program
  • DNG-ISAC Portal
  • DOD
  • DOE Complex
  • E-ISAC Administrators
  • E-ISAC AOO Members
  • E-ISAC Staff
  • ESCC, including SEWG
  • FBI, LE Fusion
  • FERC - OEIS, etc
  • International (other ISACs, CERTs)
  • International AOOs
  • Other (inc. local/state commissions)
  • ThreatConnect Pilot Program
  • Trade Organizations
  • Watch Floor
  • WaterISAC
Change History
  • Jeff Jones, 01/30/2020