2023-08-09 11:01:43
Kaspersky has analyzed cyber attacks targeting the industrial sector in Eastern Europe. The main conclusion is that cybercriminals use advanced Tactics, Techniques and Procedures (TTP) to compromise industrial organizations in the region. The most affected areas have been manufacturing, engineering and Industrial Control Systems (ICS), which highlights the need for greater preparation in cybersecurity.
During the analysis, Kaspersky discovered a series of targeted attacks that sought to establish a permanent channel for exfiltration of data from organizations. A technique that bears similarities to other previous attacks, such as ExCone and DexCone, from which the participation of APT31, also known as Judgment Panda and Zirconium, can be deduced.
Kaspersky experts discovered systems designed for remote access, capable of circumventing company security, which reveals the professionalization of cybercriminals. These systems made it possible to establish secure channels that leaked data even from infrastructures with high levels of security.
Specifically, cybercriminals used DLL hijacking techniques (using legitimate third-party executable files) to prevent system security from detecting the attacks. They used cloud data services, such as Dropbox or Yandex Disk, as well as file-sharing platforms to execute the attacks, which ended with the aforementioned data leaks and the subsequent distribution of malware. They were also able to implement a command and control (C2) infrastructure on Yandex Cloud, as well as Virtual Private Servers (VPS), to maintain control over compromised networks. It should be stressed that command and control infrastructures allow managing a client or system from a central server.
As part of these attacks, new variants of the FourteenHi malware were also deployed, discovered in 2021 during the ExCone campaigndirected against government entities. FourteenHi has evolved in 2022 and can now breach industrial infrastructures. In addition, Kaspersky experts discovered a new backdoor malware called MeatBall with extensive remote access capabilities.
“The great risks posed to industrial sectors by targeted attacks cannot be underestimated. As organizations digitize their operations through interconnected systems, the risk of cyberattacks becomes more apparent. Kaspersky’s analysis highlights the importance of establishing resilient security measures to protect industrial infrastructures against current and future threats.” says Kirill Kruglov, Senior Security Analyst at Kaspersky ICS CERT.
More information
#Dangerous #attacks #industrial #sector #cloud