Kaspersky Lab on Friday shared details of a targeted attack campaign against industrial organizations that began in late summer and is still ongoing.
The campaign, which Kaspersky Lab says began in August 2016, targeted several companies, including those in the smelting, power generation and transmission, construction, and engineering industries.
Most of the organizations attacked in the campaigns are vendors of industrial automation solutions and system support contractors, such as companies that design, build and provide solutions for critical infrastructure, a blog post published on the recently launched Kaspersky Lab ICS CERT site explains.
In typical spear phishing fashion, the attackers sent emails containing various subject lines designed to lure targets and appear as though they were from a legitimate sender.
Interestingly, analysis of the email headers revealed that most of them were sent from legitimate email addresses belonging to valid organizations.
“In some cases, the subject line contained the actual text used in an organization’s correspondence. That can only happen if the source emails were accessible to hackers and were, possibly, compromised earlier,” the report explained. “The hackers could have accessed and read previous communications between the target and their partners. They may then have used this information to craft ‘legitimate’ email communications, so that the victim didn’t recognize the malicious aspect of the email.”
Attachments to the malicious emails included RTF files containing an exploit for the CVE-2015-1641 vulnerability, an older vulnerability in Microsoft Office that was patched in April 2015. According to a report from Sophos, CVE-2015-1641 is one of the most popular exploits targeting vulnerabilities in Microsoft Office to compromise systems.
As far as the malware used in the attacks, Kaspersky found that no new code was written specifically for this campaign, but cautioned that the malware used “specific VB and MSIL packers that can diminish the ability” of antivirus products to detect the malware.
After compromising systems, attackers used an array of tools that can be used to spy on users and steal sensitive data. Tools used include credential-stealing malware FareIT/Pony 2.0, Luminosity RAT (remote access tool), HawkEye Keylogger, ISR Stealer, NetWire RAT, and a variant of the Zeus banking malware called Zeus Atmos which can inject code into web web pages in order to steal data.
Based on data that Kaspersky has been able to gather since October 2016, roughly 500 organizations from 50 countries have been affected by the attack so far. The report did not say how many may organizations have been successfully compromised in the attacks. Additionally, the report does not suggest that any control system devices or OT networks had been compromised.
Additional details and a list of IOCs (Indicators of Compromise) are available on the Kaspersky ICS-CERT website.