Full Report
In late 2016, the Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) reported on phishing attacks that were primarily targeting industrial companies from the metallurgy, electric power, construction, engineering and other sectors.
Analysis Summary
Based on the Kaspersky ICS CERT reporting regarding the late 2016 - 2017 campaigns targeting industrial sectors, here is the structured summary of the threat actor activity.
# Threat Actor: Nigerian Phishing Groups (Business Email Compromise / Industrial Focus)
## Attribution & Identity
* **Identification:** The activity is attributed to several distinct groups of "Nigerian Phishing" actors (often categorized under the broader umbrella of Business Email Compromise or BEC actors).
* **Aliases:** While often referred to generically as Nigerian actors, specific clusters have been tracked by other researchers as "SilverTerrier."
* **Identity:** These are categorized as cybercriminal groups, primarily operating out of Nigeria, characterized by relatively low technical sophistication but high operational effectiveness through social engineering.
## Activity Summary
* **Late 2016 - 2017 Campaigns:** The actor launched widespread phishing campaigns disguised as legitimate business communications (invoices, requests for quotes, and payment notifications) specifically tailored for industrial companies.
* **Primary Goal:** The capture of corporate credentials to facilitate unauthorized wire transfers or "man-in-the-browser" financial fraud.
## Tactics, Techniques & Procedures
* **Phishing/Social Engineering:** Crafting highly convincing emails with attachments related to industrial procurement (e.g., "Request for Quotation," "Shipping Documents").
* **Malicious Attachments:** Use of ZIP, 7z, or ACE archives containing executable malware.
* **Credential Harvesting:** Utilizing spyware to steal saved passwords from web browsers, email clients, and FTP software.
* **Email Communication Interception:** Monitoring compromised accounts to insert themselves into active business transactions and redirect payments.
* **Persistence:** Use of "Auto-run" registry keys to ensure malware remains active after system reboots.
## Targeting
* **Sectors:** Industrial Control Systems (ICS), Metallurgy, Electric Power, Construction, Engineering, Manufacturing, and Mining.
* **Geography:** Primarily focused on companies in Egypt, United Arab Emirates, Saudi Arabia, Germany, and Russia.
* **Victims:** Over 500 industrial companies were identified as targets in the 2016-2017 reporting period.
## Tools & Infrastructure
* **Malware Families:**
* **Commercial Spyware/RATs:** Hawkeye, NetWire, Azorult, and Pony (Fareit).
* **Keyloggers:** KeyBase, G-Data.
* **Infrastructure:**
* **C2:** Use of dynamic DNS services (e.g., no-ip[.]com).
* **Hosting:** Public cloud storage and low-cost shared hosting providers for malware delivery.
* **Exfiltration:** Data often sent via SMTP (using compromised webmail accounts) or HTTP post requests to attacker-controlled panels.
## Implications
* **Industrial Risk:** While the motivation is financial, the compromise of workstations at industrial facilities poses a secondary risk to operational technology (OT). If an attacker steals credentials for VPNs or remote access software, they could inadvertently or intentionally gain access to ICS environments.
* **Evolution of BEC:** This activity marked a shift from "spray and pray" consumer phishing to targeted "Big Game Hunting" within the industrial sector.
## Mitigations
* **Security Awareness:** Training employees to verify payment detail changes via out-of-band communication (phone calls).
* **Email Filtering:** Implementing robust SPAM and attachment filtering to block executable content within archives (EXE, SCR, VBS).
* **Authentication:** Enforcing Multi-Factor Authentication (MFA) on all corporate email accounts to prevent credential reuse.
* **Endpoint Protection:** Utilizing EDR solutions to detect common behavior of commercial spyware (e.g., unauthorized registry modifications and credential store access).
* **Network Monitoring:** Monitoring for unauthorized SMTP traffic or connections to known dynamic DNS providers.