Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/2/2018
07:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Industrial Sector Targeted in Highly Personalized Spear-Phishing Campaign

At least 400 companies in Russia have been in the bullseye of new, sophisticated spear-phishing attacks, Kaspersky Lab says.

A sophisticated new phishing campaign targeting organizations in the industrial sector shows yet again how attackers are constantly improving at luring high-value users into executing malware on their systems.

In a technical advisory Wednesday, security vendor Kaspersky Lab said it has observed a wave of spear-phishing emails expertly disguised as procurement and accounting letters being sent to carefully selected individuals at companies mostly in Russia. The attackers have typically been targeting finance and project-management related employees at these companies, and the main goal appears to be to steal money from victim organizations.

So far, the threat actors behind the campaign have targeted at least 800 computers across 400 organizations in industries such as energy, manufacturing, oil and gas, logistics, and construction.

The emails are usually addressed to the targeted individuals by their full name and contain content — such as invitations to tender bids — that corresponds with their company's business and the individual's job roles.

The malicious attachments in many of the emails have names that suggest a connection with finance. In some cases, the attackers have been sending emails with no attachments but with links embedded in the content to external sites from where malware can be downloaded to their system. The domain names from which the emails are sent are usually very similar to the domain name of the organization that purportedly sent them.

The attackers have been using various tactics to mask infections, Kaspersky Lab said in its report. If a user is tricked into opening a malicious attachment purporting to be about procurement tenders, for instance, a modified version of a legitimate software tool to search for tenders is installed on the victim system along with the malware.

The malware is used to install either TeamViewer or some other legitimate utility for remotely controlling infected systems. The attackers have then been using their remote access to inspect compromised systems for documents pertaining to financial, accounting, and procurement operations with a view to using them to enable financial fraud.

One tactic has been to change details in payment bills so payments are sent to the attackers rather that the intended organization, Kasperksy noted. When the attackers want additional information or access to other systems, they install additional malware to enable that goal. 

Kaspersky Lab's analysis of the phishing campaign suggests that the attackers started the campaign last October and targeted a relatively short list of companies through March this year, says Kirill Kruglov, senior research developer at Kaspersky Lab.

Since then, the attackers have broadened their attacks and are now going after a much broader set of targets.

"There could be at least two explanations," for why the attackers began small and then expanded their target list, Kruglov says. "[Either] the attackers collected data during the attack month by month, or they tested the attack vector on some portion of the information they had before launching it in full scope."

Financial Goals

So far, the attackers appear focused only on stealing money. The attackers use spyware to collect data and credentials for propagating inside victim networks. But there has been no evidence of purposeful interest in espionage and data theft.

While the task of assembling the information needed to carry out a targeted and highly personalized phishing campaign of this sort might appear enormous, in reality it isn't, Kruglov notes.

Usually, threat actors collect public information from corporate websites, social networks, and other sources. Or they could simply buy it on hacker forums or the dark net. "This means it is not much work. A few months are more than enough for threat actors to prepare such an attack," he says.

Kaspersky Lab's report is the second reminder of the growing sophistication of spear-phishing campaigns and the enormous success that it is netting threat actors. On Wednesday, US law enforcement authorities announced the arrests of three Ukrainian nationals connected with FIN7, a group believed responsible for stealing data on more than 15 million payment cards from organizations such as Saks Fifth Avenue, Chipotle and Arby's.

In many of the attacks, FIN7 operatives sent carefully crafted spear-phishing emails to vetted individuals at the targeted organization with the goal of installing malware on their systems for enabling payment card theft. FIN7 members even went to the extent of making phone calls to targeted individuals either before or after sending them a phishing email to try and bolster the credibility of their phishing lure.

"The level of meticulous detail in targeting more than eight hundred employees' PCs in today's widespread Eastern European spear-phishing campaign confirms what we've been seeing for some time," said Rohyt Belani, CEO and co-founder of Cofense. "Global phishing actors continue to leverage more personalized, spear-phishing campaigns as a sure-fire way to bypass next-generation email gateways and perimeter controls."

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.
CVE-2020-25157
PUBLISHED: 2020-10-20
The R-SeeNet webpage (1.5.1 through 2.4.10) suffers from SQL injection, which allows a remote attacker to invoke queries on the database and retrieve sensitive information.
CVE-2020-25648
PUBLISHED: 2020-10-20
A flaw was found in the way NSS handled CCS (ChangeCipherSpec) messages in TLS 1.3. This flaw allows a remote attacker to send multiple CCS messages, causing a denial of service for servers compiled with the NSS library. The highest threat from this vulnerability is to system availability. This flaw...