Hackers Abusing RMS and Teamviewer to Target Industrial Enterprises

In a latest report by Kaspersky, researchers have detailed some changes in the tactics and toolset of an ongoing attack campaign against industrial enterprises. Kaspersky ICS CERT had released a report earlier in 2018 that detailed the use of the Remote Manipulator System (RMS) and Teamviewer in those attacks. Apparently, the attackers are now using new techniques and targeting a wider range of enterprises.

What’s new?

Recently, cybercriminals have been observed using legitimate-looking documents, such as memos and documents detailing equipment settings or other industrial process information. These were apparently stolen during earlier attacks to target industrial enterprises.
  • In the latest campaign, hackers targeted industrial systems of enterprises in Russia across several sectors, primarily focusing on the energy sector. In addition, they are targeting manufacturing, oil and gas, metal industry, engineering, construction, mining, and logistics sectors as well.
  • Hackers are now reportedly using legitimate remote administration software such as TeamViewer or RMS infrastructure for their communication with infected systems. Previously this was done using a malware command-and-control server.
  • For these attacks, hackers are using spyware and the Mimikatz utility to steal authentication credentials. These are used to further infect other systems on the enterprise network.
  • The ultimate goal of these attacks is to steal money from victim organizations.

Recent attacks on the industrial sector

Recently, several APT groups were observed using simple yet effective techniques to launch targeted attacks on industrial systems.
  • In October, the MontysThree APT group had launched industrial espionage attacks targeting an international architectural and video production company with steganography and a third-party MAXScript exploit - PhysXPluginMfx.
  • In August, for industrial espionage, APT hackers were seen using malicious payload posing as a tainted and specially crafted plugin for Autodesk 3ds Max.

Summing up

To target industrial enterprises, hackers have started using simple tools; however, they have been improving upon their methods. The use of innovative methods for remote attacks is an alarming situation for organizations. Experts recommend enterprises to keep cybersecurity on the top of their priority list and keep investing in the gradual upgrade of their infrastructure.