During the investigation, Kaspersky uncovered a series of targeted attacks with the objective of establishing a permanent channel for data exfiltration. These campaigns exhibited significant resemblances to previously researched attacks, such as ExCone and DexCone, suggesting the involvement of APT31, also known as Judgment Panda and Zirconium.
The investigation unveiled the use of advanced implants designed for remote access, showcasing the threat actors' extensive knowledge and expertise in bypassing security measures. These implants enabled the establishment of persistent channels for data exfiltration, including from highly secure systems.
Notably, the threat actors were extensively using DLL Hijacking techniques again (that is abusing legitimate 3-d party executables, that are vulnerable to loading malicious dynamic linked libraries into their memory) to try and avoid detection while running multiple implants used during 3 attack stages.
Cloud-based data storage services like Dropbox and Yandex Disk, as well as temporary file-sharing platforms, have been used to exfiltrate data and deliver subsequent malware. They also deployed command and control (C2) infrastructure on Yandex Cloud as well as on regular virtual private servers (VPS) to maintain control over compromised networks.
Within these attacks, new variants of the FourteenHi malware were implemented. Originally discovered in 2021 during the ExCone campaign targeting government entities, this malware family has since evolved, with new variants surfacing in 2022 to target specifically the infrastructure of industrial organizations.
Additionally, a novel malware implant, dubbed MeatBall, was discovered during the investigation. This backdoor implant possesses extensive remote access capabilities.
"We cannot underestimate the significant risks posed to industrial sectors by the targeted attacks they face. As organizations continue to digitize their operations and rely on interconnected systems, the potential consequences of successful attacks on critical infrastructure are undeniable. This analysis emphasizes the critical importance of implementing resilient cybersecurity measures to protect industrial infrastructure against existing and future threats," comments Kirill Kruglov, Senior Security Researcher at Kaspersky ICS CERT.
To read the full report on the first-stage implants, visit ICS CERT website.
To keep your OT computers protected from various threats, Kaspersky experts recommend:
· Conducting regular security assessments of OT systems to identify and eliminate possible cyber security issues.
· Establishing continuous vulnerability assessment and triage as a basement for effective vulnerability management process. Dedicated solutions like Kaspersky Industrial CyberSecurity may become an efficient assistant and a source of unique actionable information, not fully available in public.
· Performing timely updates for the key components of the enterprise’s OT network; applying security fixes and patches or implementing compensating measures as soon as it is technically possible is crucial for preventing a major incident that might cost millions due to the interruption of the production process.
· Using EDR solutions such as Kaspersky Endpoint Detection and Response for timely detection of sophisticated threats, investigation, and effective remediation of incidents.
· Improving the response to new and advanced malicious techniques by building and strengthening your teams’ incident prevention, detection, and response skills. Dedicated OT security trainings for IT security teams and OT personnel is one of the key measures helping to achieve this.