Kaspersky detects anomalous spyware campaigns targeting industrial enterprises

Researchers from Kaspersky ICS CERT division have identified a number of anomalous spyware campaigns targeting industrial enterprises, with operators of such campaigns looking for corporate credentials, aiming to commit financial fraud or to sell them to other hackers. Spearphishing emails with malicious attachments were sent from compromised corporate mailboxes to their contacts, as attackers made use of ‘off-the-shelf’ spyware, but limited the scope and lifetime of each sample to the bare minimum.

In addition, researchers found that SMTP services of industrial enterprises are abused to send spearphishing emails, as well as to collect data stolen by spyware as a one-way C2 (Command and Control). “Up to 45% of all computers attacked appear to be ICS-related (and having access to the corporate email service),” Kirill Kruglov, wrote in the Kaspersky research. “Overall, we have identified over 2,000 corporate email accounts belonging to industrial companies stolen and abused as next-attack C2,” it added.

In 2021, Kaspersky researchers noticed a curious anomaly in statistics on spyware threats blocked on ICS (industrial control systems) computers, according to Kruglov. “Although the malware used in these attacks belongs to well-known commodity spyware families such as Agent Tesla/Origin Logger, HawkEye and others, these attacks stand out from the mainstream due to the very limited number of targets in each attack (from a handful to a few dozen) and the very short lifetime of each malicious sample,” he added. 

Most of the spyware samples blocked had multiple layers of obfuscation folded one into another, Kasperksy said in its report. The technique is essentially based on hiding binary code into the resources of an application. “As we discovered, the only significant difference between generic and anomalous spyware samples was the types of C2 infrastructure used,” it added.

C2 infrastructure is typically made up of the set of tools and techniques that attackers use to maintain communication with compromised devices following initial exploitation. Such frameworks are often used by attackers to retain communications with compromised systems within a target network.

Kaspersky said that, unlike generic spyware, the majority of anomalous samples were configured to use SMTP-based, rather than FTP or HTTP(s), C2s as a one-way communication channel, which means that was planned solely for theft. About 18.9 percent of all anomalous spyware was configured to connect to a server owned by some victim industrial enterprise, with almost all, 99.8 percent, of the C2 servers found in the configuration of anomalous spyware samples deployed in the three regions of Asia, Europe, and North America.

“We also noticed that the majority of C2s, including those deployed on abused infrastructure owned by industrial companies, were deployed on servers in North America,” Kaspersky said. 

“That was an unexpected finding since 34.6% of attacked ICS computers belong to Asian companies,” according to Kaspersky. “But the analysis revealed that a surprisingly large number of mid-size industrial companies in Asia have their public-access infrastructure, such as DNS, corporate web and email servers, hosted on North American rather than Asian servers (rented directly from North American providers or from various Asian providers that in fact “provide” infrastructure made available to them by North American providers),” it added.

By the time the anomaly was detected, “this had become a trend: around 21.2% of all spyware samples blocked on ICS computers worldwide in H1 2021 were part of this new limited-scope short-lifetime attack series and, at the same time, and, depending on the region, up to one-sixth of all computers attacked with spyware were hit using this tactic,” Kaspersky said.

Kaspersky data also said that their lifecycle is limited to about 25 days, which is much less than the lifespan of a ‘traditional’ spyware campaign. Although each of these anomalous spyware samples is short-lived and not widely distributed, they account for a disproportionately large share of all spyware attacks. 

Another tactic found by Kaspersky that hackers abused was to propagate the attacks from inside the victim’s infrastructure, thereby ‘legitimizing’ the phishing email traffic. 

“Abusing legitimate mailboxes (compromised at a previous attack stage) enables the actors to rapidly change their C2s and limit detection by network security solutions. What makes this possible for threat actors is the ubiquitous use of antispam technologies in the modern mail systems of their victims,” according to Kaspersky. “This tactic has proved so effective that, depending on the region, it was used to attack up to one-sixth of all ICS computers we saw attacked with spyware during H1 2021,” it added.

The attackers use corporate mailboxes compromised in earlier attacks as the C2 servers for new attacks, Kaspersky said.

“Amongst attacks of this kind, we’ve noticed a large set of campaigns that spread from one industrial enterprise to another via hard-to-detect phishing emails disguised as the victim organizations’ correspondence and abusing their corporate email systems to attack through the contact lists of compromised mailboxes,” it added.

Last week, a researcher revealed a suspected intelligence-gathering campaign that targeted renewable energy and high-profile organizations, such as OT and ICS vendors, Schneider Electric and Honeywell. With a particular focus on Bulgaria, the long-running espionage campaign is said to have used multiple credentials harvesting pages to target the email accounts of employees at a number of organizations between 2019 and is ongoing in 2022. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.