Skip to main content

In January 2022, Kaspersky researchers witnessed several advanced attacks on military enterprises and public organizations. The primary aim of the attacks was to access companies’ private information and to gain control over IT systems. The malware being used by the attackers is similar to the one deployed by TA428 APT, a Chinese-speaking APT group.

The attackers infiltrate enterprise networks by sending carefully crafted phishing emails, some of which contain information specific to their organization that has not been made publicly available at the time when emails were sent. This indicates that the attackers deliberately prepare for the attacks and select their targets in advance. The phishing emails include a Microsoft Word document with malicious code to exploit a vulnerability that enables an attacker to execute arbitrary code without any additional activity. The vulnerability exists in outdated versions of the Microsoft Equation Editor, a component of Microsoft Office.

Moreover, the attackers used six different backdoors at the same time – to set up additional communication channels with infected systems in case one of the malicious programs was detected and removed by a security solution. These backdoors provide extensive functionality for controlling infected systems and collecting confidential data.

The attack’s final stage involves hijacking the domain controller and gaining complete control of all the organization’s workstations and servers – and in one of the cases, they even took over cybersecurity solutions control center. After gaining domain administrator privileges and access to the Active Directory, attackers ran the “golden ticket“ attack to impersonate organizations arbitrary user accounts and search for documents, and other files, containing the attacked organization’s sensitive data, which they exfiltrate to the attackers’ servers hosted in different countries.

“Golden Ticket attacks take advantage of the default authentication protocol which has been used since the availability of Windows 2000. By forging Kerberos Ticket Granting Tickets (TGTs) within the corporate network, the attackers can independently access any service that belongs to the network for an unlimited time. As a result, just changing passwords or blocking compromised accounts won’t be enough. Our advice is to check carefully all suspicious activity and rely on trustworthy security solutions,” comments Vyacheslav Kopeytsev, a security expert at ICS CERT Kaspersky.

Learn more about these targeted attacks on Kaspersky ICS CERT.

To keep your ICS computers protected from various threats, Kaspersky experts recommend businesses:

  • Regularly update operating systems and application software that are part of the enterprise’s network. Apply security fixes and patches to IT and OT network equipment as soon as they are available
  • Conduct regular security audits of IT and OT systems to identify and eliminate possible vulnerabilities
  • Use ICS network traffic monitoring, analysis, and detection solutions for better protection from attacks which potentially threaten technological processes and main enterprise assets
  • Put in place dedicated security training for IT security teams and OT engineers, to improve response to new and advanced malicious techniques
  • Provide the security team responsible for protecting industrial control systems with up-to-date threat intelligence. Our ICS Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them
  • Use security solutions for OT endpoints and networks such as Kaspersky Industrial CyberSecurity, to ensure comprehensive protection for all industry critical systems
  • Protect IT infrastructure as well; it is no less important. Integrated Endpoint Security protects corporate endpoints and enables automated threat detection and response capabilities

Golden ticket for industrial espionage: APT group takes over IT infrastructure

Kaspersky ICS CERT has detected a wave of targeted attacks on military-industrial complex enterprises and public institutions in several Eastern European countries and in Afghanistan. The cybercriminals were able to take control over victims’ entire IT infrastructure – for the purpose of industrial espionage.
Kaspersky Logo