While the ever-changing technological landscape has brought the IT and OT sides of the organisation closer together, it has also exposed ICS networks to vulnerabilities that affect IT systems.
On this point, Kaspersky ICS CERT discovered a number of spyware attacks aimed at businesses.
These assaults are designed to steal company credentials, which can then be used for financial theft or sold to other threat actors are also used as a one-way C2 to exfiltrate data stolen by spyware.
Getting into the intricacies
- From compromised mailboxes, the attackers send spear-phishing emails with harmful attachments to their contacts.
- While the attackers utilise well-known spyware such as Agent Tesla, HawkEye, Snake Keylogger, and Azorult, each sample has a limited lifespan and scope. Anomaly attacks are the name given to these types of attacks.
- The stolen data is initially used to spread the virus over the local network and target other firms in order to obtain more credentials, according to Kaspersky specialists.
- The majority of the attacks are carried out by low-skilled, tiny gangs that specialise in financial fraud. However, a tiny number of these organisations are on the lookout for credentials that would grant them access to corporate network services like SMTP, RDP, VPN, and SSH, which they can then sell on dark web marketplaces.
- As a one-way C2, industrial businesses’ SMTP services are also used to exfiltrate data stolen by spyware.
Here are some numbers for you.
- More than 2,000 business email accounts belonging to industrial companies were discovered to have been stolen and misused.
- ICS-related infections accounted for over 45 percent of all afflicted computers.
- Over 7,000 business email accounts, according to Kaspersky, have already been hacked and sold on online marketplaces.
- Around 20% of the malware samples were only good for 25 days before being swapped with new ones.
- More than 25 marketplaces dedicated to selling stolen data were discovered by researchers.
There’s more to come.
- A cyberespionage effort centred on renewable energy targeted certain major ICS vendors and other companies.
- This campaign has been running since at least 2019 and collects usernames and passwords using a standard “Mail Box” phishing kit.
- Honeywell, Huawei, Schneider Electric, HiSilicon, and the Kardzhali power plant are among the industrial targets.
- Utah State University, the University of Wisconsin, and California State University were among the universities targeted in the attack.
- The California Air Resources Board, Taiwan Forestry Research Institute, Morris County Municipal Utilities Authority, the Carbon Disclosure Program, and many Bulgarian banks are among the other targets.
- While attribution has been challenging, analysts have discovered linkages to two previously linked activity groups, APT28 and Konni.
- Conclusion
The majority of the attacks are carried out by low-skilled, tiny gangs that specialise in financial fraud. However, a tiny number of these organisations are on the lookout for credentials that would grant them access to corporate network services like SMTP, RDP, VPN, and SSH, which they can then sell on dark web marketplaces.
As a one-way C2, industrial businesses’ SMTP services are also used to exfiltrate data stolen by spyware.