Researchers have found multiple spyware campaigns in the wild targeting industrial control systems (ICS). These campaigns aim at stealing data, getting financial gains, and spreading infections via compromised networks in the future.
Spyware Campaigns Targeting Industrial Control Systems
As elaborated in a recent report, the Kaspersky ICS CERT team detected multiple spyware campaigns actively targeting industrial systems.
What’s unique with these campaigns is that the threat actors haven’t developed new spyware for these attacks. Instead, they depend on the known spyware families, such as Snake Keylogger, AgentTesla/Origin Logger, Noon/Formbook, Masslogger, and Lokibot.
But they do not follow the conventional attack strategies in these campaigns. Rather they exhibit a change by precisely targeting their victims in a limited number with short-termed infections. As stated in the report,
The lifespan of the “anomalous” attacks is limited to about 25 days. And at the same time, the number of attacked computers is less than 100, of which 40-45% are ICS machines, while the rest are part of the same organizations’ IT infrastructure.
Besides, the detected malware samples exhibited a merely one-way SMTP-based communication with the C&Cs. It indicates that the attacks solely intended exfiltration.
While the attacks do not directly inflict any harm to the infrastructure, the information pilfered this way may pose a threat in the long run. That’s because the hackers are seemingly selling this information on dark web marketplaces.
According to Kaspersky, the stolen information, which includes credentials for corporate network services, was sold on over 25 different marketplaces.
These campaigns are going on at a large scale, targeting various businesses.
Overall, we have identified over 2,000 corporate email accounts belonging to industrial companies abused as next-attack C2 servers as a result of malicious operations of this type. Many more (over 7K in our estimation) have been stolen and sold on the web or abused in other ways.
Recommended Preventive Measures
Ironically, most corporate antispam technologies also aid in these attacks (indirectly) as they fail to make the hackers detectable.
Corporate antispam technologies help the attackers stay unnoticed while exfiltrating stolen credentials from infected machines by making them ‘invisible’ among all the garbage emails in spam folders.
Thus, the researchers advise the corporate users to implement adequate security measures to protect their networks. These include applying two-factor authentication, deploying appropriate endpoint security, training staff for cybersecurity measures, using sandbox solutions to test attachments, and ensuring testing attachments in both inbound and outbound emails.