New Kaspersky ICS CERT report reviews Q1 APT, financial attacks on industrial enterprises

New findings by the Kaspersky ICS CERT team offer a comprehensive overview of reported APT (advanced persistent threat) and financial attacks on industrial enterprises from the first quarter of this year. The report also details the activities of groups observed targeting industrial organizations and critical infrastructure facilities. As always, social engineering (phishing) and exploitation of vulnerable internet-facing devices were the most common methods used to penetrate a target organization. 

“Vulnerabilities in the Ivanti Secure VPN solution and a Microsoft Outlook vulnerability were zero-days at the time they were exploited, requiring a great deal of effort and some luck for the targeted organizations to detect the attacks in their early stages,” Kaspersky said in its latest report. “Enterprises considering protection against such threats should pay close attention to their information infrastructure. It should be divided into separate security domains in such a way that the compromise of one system, even a very important one, does not automatically allow the attacker to gain access to adjacent systems and move laterally in the infrastructure. This requires a lot of effort and investment, including highly qualified personnel.”

Kaspersky highlighted findings from ESET researchers who have identified a sophisticated cyber implant named ‘NSPX30,’ used by a newly discovered APT group believed to be affiliated with China, known as Blackwood. The group employs adversary-in-the-middle techniques to manipulate legitimate software update requests for implant delivery and to intercept telecom traffic, camouflaging its command and control communications as normal HTTP and UDP requests to Baidu’s services. 

NSPX30 is a complex, multi-component implant comprising a dropper, installer, loaders, orchestrator, and a backdoor, the latter two of which support various plugins. Designed to facilitate packet interception, the implant enables Blackwood to conceal its infrastructure effectively. Researchers have linked NSPX30 to an older backdoor, Project Wood, with the earliest sample traced back to 2005. Blackwood has been actively involved in cyber espionage targeting entities in China, Japan, and the UK, including a significant manufacturing and trading company in China and the Chinese branch of a Japanese engineering firm. 

The researchers suggest that the traffic interception likely occurs near the targets rather than at Baidu or through a Chinese telecom, as Baidu’s infrastructure is geographically dispersed and accessible globally via anycast.

Industrial cybersecurity firm Dragos detailed in February that Voltzite, a threat actor, has been conducting reconnaissance and enumeration activities on U.S. electric companies since early 2023, aligning with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft’s identification of the Volt Typhoon threat group. The group uses living-off-the-land techniques, maintains high operational security standards, and engages in credential theft. They have targeted U.S. entities, emergency management services, telecommunications, satellite services, and African electric transmission and distribution providers. 

Furthermore, Voltzite managed to exfiltrate critical data, including geographic information system details and SCADA system configurations, from devices and software like Fortinet FortiGuard, PRTG Network Monitor appliances, ManageEngine ADSelfService Plus, FatePipe WARP, Ivanti Connect Secure VPN, and Cisco ASA.

Volt Typhoon compromised the IT environments of multiple organizations primarily in communications, energy, transportation, water and wastewater sectors in the continental and non-continental U.S. and its territories, including Guam. The actor leverages strong operational security, which allows it to evade detection and maintain long-term persistence on compromised systems. US authorities are also concerned that the Volt Typhoon group may exploit access to critical networks to cause disruption, particularly in the midst of potential military conflicts or geopolitical tensions. The advisory and guidance are accompanied by a technical guide with information on how to detect Volt Typhoon techniques and mitigation measures.

Kaspersky pointed to research from Group-IB pointing to new attacks by the Russian-speaking hacker group RedCurl targeting companies in the construction, logistics, aviation, and mining industries in Australia, Singapore, and Hong Kong. RedCurl, first detected in late 2019, has carried out over 40 attacks, half in Russia, and the rest in the UK, Germany, Canada, Norway, and Ukraine. The group was initially suspected to be related to Cloud Atlas APT, but no other intersections were found. 

The attackers were exclusively engaged in cyber-espionage, stealing business information such as corporate correspondence, employee files, legal documents, and other secrets. The entry point for new attacks remains the same: sending emails to employees with attachments in the form of SVG files or RAR archives containing SVG. 

The attackers then execute commands via rundll32[dot]exe, RedCurl[dot]SimpleDownloader, and RedCurl[dot]Extractor to extract and persist RedCurl[dot]FSABIN. The group requests a decryption key and an encrypted BAT script from the C2 server.

Kaspersky also mentioned Trend Micro’s findings on Pawn Storm, also known as APT28, which launched NTLMv2 hash relay attacks between April 2022 and November 2023 to infiltrate government, defense, military, energy, and transportation networks worldwide. The threat actor exploited the CVE-2023-23397 vulnerability to collect NTLMv2 digests from targeted Outlook accounts and send malicious calendar invitations. 

Pawn Storm used various tools, including VPN services, Tor, data center IP addresses, and compromised EdgeOS routers. They also compromised email accounts and used them as launch pads for spear-phishing emails. 

The FBI, NSA, US Cyber Command, and international partners released a joint Cybersecurity Advisory in February warning that the actor was compromising Linux-based Ubiquiti EdgeRouters to facilitate malicious cyber operations worldwide. The CSA targeted various industries, including aerospace, defense, education, energy, utilities, governments, hospitality, manufacturing, oil and gas, retail, technology, and transportation. The FBI investigation revealed that APT28 actors accessed EdgeRouters compromised by Moobot, allowing them to execute NTLM relay attacks and host rogue authentication.

The Kaspersky report also mentioned Mandiant’s findings on a cyber-espionage campaign targeting the aerospace and defense industries in Israel, the UAE, Turkey, India, and Albania. The campaign began in June 2022 and was led by UNC1549, a group linked to Iran. Researchers observed UNC1549 using evasion techniques, including Microsoft Azure cloud infrastructure and social engineering schemes to disseminate two unique backdoors – MINIBIKE and MINIBUS. MINIBIKE is capable of exfiltrating files, executing commands, and using Azure cloud infrastructure, while MINIBUS provides a more flexible code-execution interface and enhanced reconnaissance capabilities. 

Researchers also discovered a custom tunneler called LIGHTRAIL, likely based on an open-source Socks4a proxy.

Kaspersky also listed that the APT actor known as SideWinder has launched hundreds of attacks against high-profile entities in Asia and Africa in recent months. The infection chain is consistent with the process described in previous Kaspersky reports. Most attacks begin with a Microsoft Word document sent via spear-phishing email or a ZIP archive containing an LNK file. The attachment triggers a chain of events that leads to the execution of multiple intermediate stages composed by the malware in JavaScript and .NET and finally compromises the system with a malicious implant developed in .NET that runs only in memory and is loaded with custom-packed loaders.

During the investigation, Kaspersky researchers observed a rather large infrastructure consisting of many different VPSs and dozens of subdomains. Many subdomains are believed to have been created for specific victims, and the naming scheme suggests that the attacker was trying to disguise malicious communications as legitimate traffic for websites related to government entities or logistics companies. SideWinder has historically targeted government and military entities in South Asia, but in this case, an expansion of its targets was observed. The actor also compromised victims located in Southeast Asia and Africa. 

In addition, Kaspersky telemetry revealed that different diplomatic entities in Europe, Asia, and Africa were compromised. The expansion of targets also includes new industries, as evidenced by the discovery of new targets in the logistics sector, specifically maritime logistics.

Kaspersky also included data from Check Point researchers that identified a new, financially motivated threat actor, dubbed ‘Magnet Goblin’, which targeted U.S. medical, manufacturing and energy companies by exploiting vulnerabilities in Ivanti’s products.

The attackers are thought to have targeted vulnerable Ivanti Connect Secure VPN servers and used them to deploy backdoors in the targeted IT systems. The malware used by the attackers includes a Linux backdoor called MiniNerbian, a new version of NerbianRAT, a JavaScript credential stealer called WARPWIRE, and Ligolo, an open-source tunneling tool written in GO. They also use legitimate remote monitoring and management tools such as ScreenConnect and AnyDesk.

In April, Kaspersky published data on cybercriminal and hacktivist attacks on industrial organizations, with a separate report dedicated to APT attacks. Some links to corporate website pages containing incident information are broken, but the team chose to retain them based on the victim’s company statements. The overview focuses on incidents confirmed by affected organizations or government officials, excluding reports solely from cybercriminal groups.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.