Full Report
In October 2016, Kaspersky Lab ICS CERT detected a targeted attack aimed at industrial organizations. The worst affected were companies in the smelting, electric power generation and transmission, construction, and engineering industries.
Analysis Summary
# Incident Report: Targeted Spear Phishing Campaign Against Industrial Sector
## Executive Summary
In October 2016, Kaspersky Lab ICS CERT identified a widespread spear-phishing campaign targeting industrial organizations and critical infrastructure suppliers. The attack leveraged malicious email attachments and known vulnerabilities to deploy credential stealers and Remote Access Trojans (RATs). Over 500 organizations across 50 countries were affected, primarily in the smelting, power, and engineering sectors.
## Incident Details
- **Discovery Date:** October 2016
- **Incident Date:** August 2016 – Ongoing (at time of report)
- **Affected Organization:** Approximately 500 organizations (unnamed)
- **Sector:** Smelting, Electric Power, Construction, Engineering, and Industrial Automation Vendors
- **Geography:** Global (50 countries)
## Timeline of Events
### Initial Access
- **Date/Time:** August 2016
- **Vector:** Spear Phishing
- **Details:** Attackers sent emails masquerading as legitimate suppliers, banks, or shipping companies (e.g., DHL, Saudi Aramco). These contained RTF files exploiting CVE-2015-1641 or various archive formats (ACE, ZIP, RAR) containing executable malware.
### Lateral Movement
- **Details:** The report indicates attackers potentially compromised legitimate email accounts prior to the campaign to send emails from trusted sources, using historical correspondence to increase credibility.
### Data Exfiltration/Impact
- **Details:** Theft of credentials for web services, FTP, email clients, and cryptocurrency wallets. The RATs allowed for unauthorized remote control of systems via RDP and file manipulation.
### Detection & Response
- **How it was discovered:** Detected by Kaspersky Lab ICS CERT during routine monitoring of industrial sector threats.
- **Response actions taken:** Analysis of binaries, identification of Command & Control (C2) communication patterns, and publication of Indicators of Compromise (IoCs).
## Attack Methodology
- **Initial Access:** Spear phishing with malicious attachments (RTF exploits or compressed executables).
- **Persistence:** Implementation of RATs (Luminosity, HawkEye) allowing persistent remote access.
- **Privilege Escalation:** Not explicitly detailed, though RDP management modules were used for administrative tasks.
- **Defense Evasion:** Specific VB and MSIL packers were used to obfuscate code and bypass antivirus detection. Use of legitimate-sounding filenames (e.g., `Energy & Industrial Solutions W.L.L_pdf.ace`).
- **Credential Access:** **FareIT/Pony 2.0** used to scrape credentials from browsers, FTP clients, and email clients (e.g., FileZilla, Outlook, Chrome).
- **Discovery:** **Luminosity RAT** used for system reconnaissance and file searching.
- **Lateral Movement:** Potential use of compromised legitimate email accounts to spread within partner networks.
- **Collection:** Automated collection of stored passwords and system information.
- **Exfiltration:** Data sent to C2 servers via HTTP POST commands.
- **Impact:** Theft of intellectual property, financial data (cryptocurrency), and unauthorized access to critical infrastructure support systems.
## Impact Assessment
- **Financial:** Risk of direct theft via cryptocurrency and business email compromise (BEC).
- **Data Breach:** Extensive theft of authentication credentials for over 100 different application types.
- **Operational:** Potential for disruption of industrial processes via RDP access provided by RATs.
- **Reputational:** High risk for industrial automation vendors who may inadvertently infect their own customers.
## Indicators of Compromise
- **Network indicators:** HTTP POST requests to remote C2 servers (specific IPs/URLs omitted from summary but monitored by CERT).
- **File indicators:**
- `Exploit.MSWord.Agent.hp`
- `FareIT/Pony 2.0`
- `Luminosity RAT`
- `HawkEye Keylogger`
- **Behavioral indicators:** Unusual process activity originating from MS Word (RTF exploit) or WinRAR/WinZip; unexpected outbound HTTP POST traffic to unrecognized domains.
## Response Actions
- **Containment:** Blocked known C2 IP addresses and domains.
- **Eradication:** Used specialized antivirus signatures to detect and remove MSIL-packed malware.
- **Recovery:** Identification of compromised accounts and mandatory password resets across affected organizations.
## Lessons Learned
- **Supply Chain Vulnerability:** Attackers targeted contractors and vendors to gain a foothold in critical infrastructure, proving that secondary targets are often the weakest link.
- **Social Engineering Sophistication:** Using previous legitimate email threads makes phishing nearly indistinguishable from real business communication.
- **Malware Packaging:** Standard malware combined with sophisticated packers remains highly effective against traditional signature-based defenses.
## Recommendations
- **Technical Measures:**
- Patch systems against **CVE-2015-1641** and other legacy Office vulnerabilities.
- Implement Multi-Factor Authentication (MFA) for all external-facing services (Email, VPN, FTP).
- Deploy behavioral-based endpoint protection to detect packed or unknown malware.
- **Policy & Training:**
- Conduct advanced phishing awareness training that highlights the risk of "legitimate" looking email threads.
- Establish strict procedures for validating banking or delivery changes via secondary communication channels.