Researchers have recently detected an advanced persistent threat (APT) campaign that targets critical infrastructure equipment manufacturers by using industry-sector-themed spear-phishing emails and a combination of free tools. This tactic fits into the “living off the land” trend of cyber espionage actors reducing their reliance on custom and unique malware programs that could be attributed to them in favor of dual-use tools that are publicly available.
The victims include a Korean multi-billion-dollar conglomerate that makes heavy equipment for power transmission and distribution facilities, renewable energy, chemical plants, welding and construction, but also a steel manufacturer, a chemical plant construction firm, a pipe manufacturer, a valve manufacturer and an engineering firm. The researchers have evidence that over 200 systems have been compromised so far and the campaign, which they’ve dubbed Gangnam Industrial Style, is still active.
Information theft through known malware
The goal of the Gangnam attackers is information theft, which is reflected in their use of a password stealer that has been modified to also collect documents from compromised systems. The stolen files could contain trade secrets, design schematics and other sensitive business information that could allow attackers to plan future attacks, discover vulnerabilities in products or help their clients gain a competitive advantage.
The malware used in the attack is a new variant of Separ, a browser and email credential stealer that has been around since at least 2013. The new version is capable of searching systems for documents and images with certain extensions and upload them to an FTP server.
Separ is actually a collection of tools and batch scripts packaged in a self-extracting archive and configured to work together. It contains the Browser Password Dump and Email Password Dump tools by SecurityXploded and the NcFTPPut FTP client, to which the Gangnam attackers added the password dumper from The LaZagne Project, a folder deletion tool called deltree, a command Line Process Viewer/Killer/Suspender and a secure FTP client called MOVEit Freely.
The lure: Well-crafted requests for quotation
Victims of this campaign are targeted with well-crafted phishing emails that masquerade as requests for quotation (RFQs) from the industrial sector and have malicious ZIP attachments. The rogue archives contain malicious batch scripts that have the PDF file icon.
According to CyberX, examples of spear-phishing emails used in this campaign include an RFQ for designing a power plant in the Czech Republic that was supposedly sent by a Siemens subsidiary, an RFQ for designing a coal-fired power plant in Indonesia, supposedly sent by the engineering subsidiary of a major Japanese conglomerate, and an email purporting to be from a major European engineering company that designs gas processing and production plants.
The attackers did their homework and included documents such as power plant schematics, technical white papers and corporate profiles in their emails to make them more believable and legitimate-looking.
Once again, this shows the need for companies to train their employees to be suspicious of emails received from unknown senders, especially when they contain archives and even when they seem relevant for their company’s business. Attachments should also be scanned with an antimalware solution and the files inside should not be opened if they have executable extensions.
Companies from the industrial sector should ensure that systems and industrial control networks are properly segmented from their general IT networks and that remote access is performed using multi-factor authentication so that any credentials obtained by attackers can’t be easily used to access and compromise additional systems.
“Our research indicates the Gangnam Industrial Style campaign is ongoing because newly stolen credentials are still being uploaded to the adversary’s C2 [command-and-control] server,” the CyberX researchers said in their report.