Kaspersky provides summary of APT attacks on industrial organizations in latter half of 2022

Researchers from Kaspersky recently published a summary report of APT (advanced persistent threat) attacks on industrial organizations in the second half of 2022. They also released related activity of groups that have been observed attacking industrial organizations and critical infrastructure facilities. 

Across Southeast Asia and Korean Peninsula, the researchers attributed an emerging ransomware threat to a North Korean-based hacker group that they call DEV-0530 (the group calls itself ‘H0lyGh0st’). DEV-0530 has targeted small-to-medium businesses in multiple countries since September 2021, including manufacturing organizations, banks, schools, and event and meeting planning companies. 

The Kaspersky report found that attackers employ ‘double extortion,’ encrypting data and also threatening to publish data if the target refuses to pay. Researchers have found connections of DEV-0530 with the PLUTONIUM APT group (aka DarkSeoul and Andariel).

In February, U.S. security agencies, the Department of Health and Human Services (HHS), and the Republic of Korea’s Defense Security Agency and National Intelligence Service published a joint Cybersecurity Advisory (CSA) that highlighted that the ransomware attacks on critical infrastructure fund malicious cyber activities executed by the DPRK (Democratic People’s Republic of Korea). The agencies also revealed that DPRK cyber hackers have been using cryptocurrency generated through illicit cybercrime activities to procure infrastructure such as IP addresses and domains.

The Kaspersky report also said that for over a decade, the Tropic Trooper APT actor has been actively targeting victims in East and Southeast Asia. The company has been tracking this threat actor for several years and has published a report describing its malicious operations. The report is available to subscribers of the Threat Intelligence Reporting service.

Last February, Symantec published a report describing a campaign called ‘Antlion,’ which has been observed targeting financial institutions and a manufacturing company in Taiwan. “In the manufacturing target, where the attackers maintained their presence for about 175 days, researchers saw the attackers attempting to download malicious files via SMB shares. While analyzing the IoCs of this campaign, Kaspersky found strong connections with the Tropic Trooper threat actor, which led to the conclusion that the group was behind the Antlion campaign,” Kaspersky reported.

In the Kaspersky investigation, different attacks conducted by this threat actor using the malware families described by Symantec were discovered and studied, together with new versions of the malware that were discussed in an earlier Kaspersky report on the Tropic Trooper APT actor. The infection chain for these attack cases, the attack infrastructure, lateral movement, and post-exploitation activities carried out by this actor were analyzed. Additional target verticals besides the finance sector were identified, including the tech hardware and semiconductors industry, as well as a political entity.

Kaspersky researchers uncovered an ongoing Lazarus campaign targeting defense contractors in South Africa and Brazil dating back to March. The actor contacted potential victims via social networks or email and sent the initial malware through Skype. The malware is a Trojanized PDF application that initiates a multi-stage infection chain, loading additional payloads that contain C&C (command-and-control) communication capability via the DLL side-loading technique. The attackers also deployed additional malware to the initial host to pivot and perform lateral movement. 

In this process, Kaspersky identified that the operator took advantage of a relatively new DLL side-loading technique named ‘ServiceMove.’ The technique was introduced by a red team researcher and abused the ‘Windows Perception Simulation Service’ to load arbitrary DLL files for malicious purposes. The Lazarus group is equipped with a variety of tools, which it employs with various infection chains. While examining all the samples in this case, different clusters were observed: ThreatNeedle, Bookcode, and DeathNote.

In the Middle East region, Kaspersky included a suspected Iranian threat activity cluster that has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named ‘SUGARUSH’ and a browser credential stealer called ‘SUGARDUMP,’ which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo, and Yandex email services. 

The Kaspersky report added that the threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn, and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.

Researchers have discovered previously undocumented custom backdoors and cyberespionage tools deployed by the POLONIUM APT threat actor against targets in Israel. The targets include organizations in the engineering, IT, law, communications, branding and marketing, media, insurance, and social services sectors. The threat actor targeted more than a dozen organizations between September 2021 and September 2022.

Kaspersky ICS CERT experts detected a wave of targeted attacks on military-industrial complex enterprises and public institutions in several countries. The attack targeted over a dozen organizations, including industrial plants, design bureaus, and research institutes, government agencies, ministries, and departments in several East European countries (Belarus, Russia, and Ukraine), as well as Afghanistan. 

Some of the malware used in these attacks had previously been observed in attacks conducted by the IronHusky APT group. The research has also identified malware and C&C servers previously used in attacks attributed by other researchers to the TA428 APT group.

Last April, the Positive Technologies Expert Security Center detected an attack on several Russian energy and media companies using a malicious document. The investigation subsequently revealed many other documents used in attacks on the same companies. The campaigns contained identical snippets of code for harvesting information about network adapters and collecting data about the infected system; the document stubs had clear similarities, and in all cases, cloud servers were used to control the malware. An investigation of the tools showed that the attackers used Yandex[dot]Disk as the C&C server.

Proofpoint and PwC Threat Intelligence teams published a joint research paper about a cyberespionage campaign that focused on government, energy, and manufacturing organizations in the Asia-Pacific region. It deployed phishing emails directing targets to a fake news outlet. The attackers — referred to as TA423, Red Landon, or APT40 — designed the site to deliver malware known as ScanBox.

According to Symantec, government and state-owned organizations in several Asian countries have been targeted by a group of cyber-espionage hackers formerly associated with the ShadowPad RAT. The attackers use a wide range of legitimate software packages to load their malware payloads using DLL side-loading. The campaign targets government institutions, state-owned media, IT, telecoms firms, and government-owned aerospace and defense companies. 

Researchers at Symantec have published a report detailing a cyber espionage campaign that has targeted the government of a Middle Eastern country, a multinational electronics manufacturer, and a U.S. State Legislature. The hacking group, which is called Budworm, is believed to have ties to China’s government.

The Kaspersky report also included Trend Micro research on a previously undocumented sub-group of APT41 (aka Winnti) that has been targeting organizations in East and Southeast Asia and Ukraine since at least 2020.

In its first wave of attacks, the threat actor, which has been dubbed Earth Longzhi, targeted government organizations, infrastructure companies, and healthcare companies in Taiwan, as well as Chinese banks. In the second wave, the group infiltrated high-profile victims in Ukraine and several countries in Asia, including defense, aviation, insurance, and urban development companies.

Moving to Russian-speaking activity, the Kaspersky report covered an October Microsoft report on new ransomware named ‘Prestige,’ which was used to target transport and logistics industries in Ukraine and Poland. Initially, the malware was given a temporary name, DEV-0960. There is an overlap in victims between Prestige and HermeticWiper malware, although it is unclear whether the two are controlled by the same attacker – DEV-0960. Before deploying ransomware, the DEV-0960 activity included the use of RemoteExec and an open-source utility called Impacket WMIexec.

Researchers at CheckPoint have observed Cloud Atlas (aka Inception) campaigns focused on very specific targets in Belarus, mainly in the country’s transportation and military radio-electronics sectors, and in Russia, including the government sector, energy and metal industries, since June 2022, Kaspersky reported. “The actor has also maintained its focus on the Crimean Peninsula, as well as Lugansk and Donetsk regions. Cloud Atlas has used spear-phishing emails containing malicious attachments as their initial attack vector for many years, using current geo-political issues directly related to the target country as a lure.”

The Kaspersky report also covered ESET discovery of targeted attacks against high-profile companies and local government bodies, mostly in Asia but also in the Middle East and Africa. The attacks were conducted by a previously unknown cyberespionage group, active since at least 2020, that they named “Worok”. Targets included companies from the telecoms, banking, maritime, energy, government, and public sectors. In some cases, Worok exploited the infamous ProxyShell vulnerabilities to gain initial access.

The report also included alerts issued by the CISA (Cybersecurity and Infrastructure Security Agency), the FBI, the NSA (National Security Agency), U.S. Cyber Command (USCC) – Cyber National Mission Force (CNMF), the Department of the Treasury (Treasury), who published a transnational joint advisory, which warns of APT actors affiliated with the Islamic Revolutionary Guard Corps (IRGC) of Iran targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors. The advisory was also written in collaboration with Australian, Canadian, and British cybersecurity agencies. 

Another joint alert from the CISA, the FBI, and NSA revealed that between November 2021 and March 2022, attackers hid inside a US Defense Industrial Base organization’s enterprise network and stole sensitive data. The CISA alert provides technical details of incident response activities. It was determined that likely multiple APT groups comprised the organization’s network, and some APT actors had long-term access to the environment.

Last January, researchers from Kaspersky’s ICS CERT division identified several anomalous spyware campaigns targeting industrial enterprises, with operators of such campaigns looking for corporate credentials, aiming to commit financial fraud or to sell them to other hackers. Spearphishing emails with malicious attachments were sent from compromised corporate mailboxes to their contacts, as attackers made use of ‘off-the-shelf’ spyware, but limited the scope and lifetime of each sample to the bare minimum.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.