While the ever-evolving technological landscape has connected the IT and OT sides of the business, it has also left ICS networks exposed to threats impacting IT systems. On this note, Kaspersky ICS CERT revealed several spyware campaigns targeting industrial organizations. These attacks aim to pilfer corporate credentials that can be used for financial fraud or sold to other threat actors.
Diving into details
The attackers send spear-phishing emails laced with malicious attachments from compromised mailboxes to their contacts.
While the attackers use renowned spyware—Agent Tesla, HawkEye, Snake Keylogger, and Azorult, among others—the lifetime and scope of each sample is limited. These attacks have been dubbed anomalous attacks.
Kaspersky experts surmised that the stolen data is initially leveraged to spread the infection across the local network and target other organizations to gather more credentials.
Most of the attacks are conducted by less-skilled, small groups that primarily focus on financial fraud. However, a small number of these groups look for credentials that would provide them access to corporate network services, such as SMTP, RDP, VPN, and SSH, to later sell in dark web marketplaces.
SMTP services belonging to industrial companies are also exploited to exfiltrate data stolen by spyware as a one-way C2.
Some stats your way
More than 2,000 corporate email accounts belonging to industrial firms were found stolen and exploited.
Almost 45% of all infected computers were ICS-related.
Kaspersky estimates that over 7,000 corporate email accounts have already been stolen and sold on web marketplaces.
Around 20% of the malware samples had a lifespan of only 25 days, which are then replaced with new ones.
Researchers detected more than 25 marketplaces dedicated to selling the stolen data.
This campaign started is ongoing since at least 2019 and uses a basic “Mail Box” phishing kit to collect usernames and passwords.
Some of the industrial targets include Honeywell, Huawei, Schneider Electric, HiSilicon, and the Kardzhali power plant.
The attack targeted several universities such as Utah State University, the University of Wisconsin, and California State University.
Other targets include the California Air Resources Board, the Taiwan Forestry Research Institute, the Morris County Municipal Utilities Authority, the Carbon Disclosure Program, and several banks in Bulgaria.
While attribution has been difficult, researchers found links to two known activity clusters, previously connected to APT28 and Konni.
The bottom line
Industrial networks have become one of the favorite targets of cybercriminals and it’s time to up the cyber defense game. Kaspersky has provided some recommendations, including implementing MFA for corporate email access and other internet-facing applications and protecting endpoints in both IT and OT networks with advanced endpoint protection solutions. Stay cyber safe.