- May 28, 2020
According to the latest Kaspersky ICS CERT findings, these hits were focused on systems in Japan, Italy, German and the UK and targeted suppliers of equipment and software for industrial enterprises. Research has shown that attackers used malicious Microsoft Office documents,
Targeted attacks on industrial objects organically attract attention from the cybersecurity community as they are sophisticated and focused on sectors that are of critical value. Any disruption in the continuity of work can lead to unwanted consequences from successful industrial espionage to comprehensive financial losses.
This examined series of attacks was no exception. Phishing emails, used as the initial attack vector, were tailored and customized under the specific language for each specific victim. The malware used in this attack performed destructive activity only if the operating system had a localization that matched the language used in the phishing email. For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese. Also, to successfully decrypt the malware module, the operating system must have had a Japanese localization.
Closer analysis has shown that attackers used the Mimikatz utility to steal the authentication data of Windows accounts stored on a compromised system. This information can be used by attackers to gain access to other systems within the enterprise network and develop attacks. This is particularly dangerous when attackers gain access to accounts that have domain administrator rights.
Scheme of attack in details
In all detected cases, the malware was blocked by Kaspersky security solutions which prevented the attackers from continuing their activity. As a result, the ultimate goal of the criminals remains unknown. Kaspersky ICS CERT experts continue to monitor new, similar cases. If an organization encounters such an attack, it can be reported by using this special form on the Kaspersky website.
“This attack attracted attention due to several, non-standard technical solutions used by the attackers,” said Vyacheslav Kopeytsev, a security expert at Kaspersky. “For instance, the malware module is encoded inside the image using steganography methods, and the image itself is hosted on legitimate web resources. This makes it almost impossible to detect the download of such malware using network traffic monitoring and control tools. From the point of view of technical solutions, such activity does not differ from the usual access given to legitimate image hosting. Coupled with the targeted nature of infections, these techniques indicate the sophisticated and selective nature of these attacks. It is a matter of concern that industrial contractors are among the victims of the attack. If the authentication data of employees of the contractor organization falls into malicious hands, this can lead to many negative consequences, starting with the theft of confidential data and ending with attacks on industrial enterprises through remote administration tools used by the contractor.”
“The attack on contractors once again demonstrates that for electric power facilities to be operated reliably, it is critically important to ensure workstations and servers are protected – both on corporate and operational technology networks,” comments Anton Shipulin, solution business lead, Kaspersky Industrial CyberSecurity. “Although strong endpoint protection may be enough to prevent similar attacks, in this case, we still recommend using the most comprehensive approach to support the industrial facility’s cyber-defense. Attacks through contractors and suppliers can have completely different entry points within the enterprise, including ones on the OT network. Even though the attack’s objectives remained unclear, it is more accurate to follow the assumption that attackers have the potential to gain access to the facility’s critical systems. Modern means of network monitoring, anomaly and attack detection can help to detect signs of an attack on industrial control systems and equipment in a timely manner, and prevent a possible incident."
To reduce the risks of being attacked, industrial organizations are advised to:
- Provide training to employees of enterprises on how to work with email securely and, in particular, identify phishing emails.
- Restrict the execution of macros in Microsoft Office documents.
- Restrict execution of PowerShell scripts (if possible).
- Pay particular attention to PowerShell process startup events initiated by Microsoft Office applications. Restrict programs from receiving SeDebugPrivilege privileges (if possible).
- Install a security solution for corporate endpoints such as Kaspersky Endpoint Security for Business, with the ability to centrally manage security policies, and maintain up-to-date antivirus databases and software modules for security solutions.
- Use security solutions for OT endpoints and network such as KICS for Nodes and KICS for Networks to ensure comprehensive protection for all industry critical systems.
- Install security solutions on all systems with the ability to centrally manage security policies, and maintain up-to-date antivirus databases and software modules for security solutions.
- Use accounts with domain administrator rights only when necessary. After using such accounts, restart the system where authentication was performed.
- Implement a password policy with requirements for the level of complexity and regular password changes.
- Upon an initial suspicion that systems are infected, perform an antivirus check and force password changes for all accounts that were used to log in on compromised systems.
To read the full version of the report, please visit Kaspersky ICS CERT.
Click Here for More Information
Did you enjoy this great article?
Check out our free e-newsletters to read more great articles..Subscribe