A Kaspersky investigation into cyber attacks targeting the industrial sector in Eastern Europe revealed the use of advanced tactics, techniques, and procedures (TTPs) by threat actors to compromise industrial organisations in the region.
Industries such as manufacturing, industrial control system (ICS) engineering and integration have been particularly affected, emphasising the urgent need for enhanced cybersecurity preparedness.
The investigation uncovered a series of targeted attacks with the objective of establishing a permanent channel for data exfiltration. These campaigns exhibited significant resemblances to previously researched attacks, such as ExCone and DexCone, suggesting the involvement of APT31, also known as Judgment Panda and Zirconium.
There was also the use of advanced implants designed for remote access, showcasing the threat actors' extensive knowledge and expertise in bypassing security measures. These implants enabled the establishment of persistent channels for data exfiltration, including from highly secure systems.
The threat actors were extensively using DLL Hijacking techniques again (that is abusing legitimate 3rd party executables, that are vulnerable to loading malicious dynamic linked libraries into their memory) to try and avoid detection while running multiple implants used during 3 attack stages.
Cloud-based data storage services like Dropbox and Yandex Disk, as well as temporary file-sharing platforms, have been used to exfiltrate data and deliver subsequent malware. They also deployed command and control (C2) infrastructure on Yandex Cloud as well as on regular virtual private servers (VPS) to maintain control over compromised networks.
Within these attacks, new variants of the FourteenHi malware were implemented. Discovered in 2021 during the ExCone campaign targeting government entities, this malware family has since evolved, with new variants surfacing in 2022 to target specifically the infrastructure of industrial organisations.
Also discovered is a novel malware implant, dubbed MeatBall – a backdoor implant that possesses extensive remote access capabilities.
"We cannot underestimate the significant risks posed to industrial sectors by the targeted attacks they face," comments Kirill Kruglov, a senior security researcher at Kaspersky ICS CERT.
"As organisations continue to digitise their operations and rely on interconnected systems, the potential consequences of successful attacks on critical infrastructure are undeniable."
Kirill Kruglov
"This analysis emphasises the critical importance of implementing resilient cybersecurity measures to protect industrial infrastructure against existing and future threats," he added.
Recommendations
Conducting regular security assessments of OT systems to identify and eliminate possible cyber security issues.
Establishing continuous vulnerability assessment and triage as a basement for effective vulnerability management process. Dedicated solutions like Kaspersky Industrial CyberSecurity may become an efficient assistant and a source of unique actionable information, not fully available to the public.
Performing timely updates for the critical components of the enterprise’s OT network; applying security fixes and patches or implementing compensating measures as soon as it is technically possible is crucial for preventing a significant incident that might cost millions due to the interruption of the production process.
Using EDR solutions for timely detection of sophisticated threats, investigation, and effective remediation of incidents.
Improving the response to new and advanced malicious techniques by building and strengthening your teams’ incident prevention, detection, and response skills. Dedicated OT security training for IT security teams and OT personnel is one of the key measures helping to achieve this.