Kaspersky already identified attacks on military-industrial organizations and public institutions in Eastern Europe and Afghanistan in early August. The malware used is similar to that of a Chinese-speaking APT group.
Kaspersky ICS CERT has identified a series of targeted attacks against industrial plants, research institutes, government agencies, ministries and offices in several Eastern European countries, including Russia, Ukraine and Belarus, as well as in Afghanistan. The APT actors were able to take control of the victims' entire IT infrastructure and engage in industrial espionage.
Attacks on military companies and organizations
In January 2022, Kaspersky experts discovered several advanced attacks on military companies and public organizations, including industrial plants, design offices, research institutes, government agencies, ministries and departments, aimed at stealing sensitive information and gaining control over the IT systems. The malware used by the attackers is similar to that of TA428 APT, a Chinese-speaking APT group.
Targeted attackers infiltrate corporate networks through carefully crafted spear phishing emails, some of which contain information specific to the targeted organization that was not public at the time the email was sent. The phishing emails contained a Microsoft Word document with malicious code to exploit a vulnerability that allows arbitrary code to run without additional activity. The vulnerability exists in outdated versions of Microsoft Equation Editor, a component of Microsoft Office.
Use of six different backdoors
The attackers simultaneously used six different backdoors to set up additional communication channels with the infected systems in case one of the malicious programs was detected and removed by a security solution. These backdoors provide extensive functionality to control infected systems and collect sensitive data. The final phase of the attack was to take over the domain controller and gain complete control over all of the company's workstations and servers. In one case, the attackers were even able to take over the control center for cybersecurity solutions. After gaining domain administrator rights and access to Active Directory, the attackers performed a so-called "golden ticket" attack to impersonate any organization's user accounts and search for documents and other files containing sensitive data of the attacked organization contained. The attackers hosted the exfiltrated data on servers in different countries.
Golden Ticket Attacks
"Golden ticket attacks use the Default Authentication Protocol, which has been in use since the availability of Windows 2000," explains Vyacheslav Kopeytsev, security expert at ICS CERT Kaspersky. “By forging Kerberos Ticket Granting Tickets (TGTs) inside the corporate network, the attackers can access any service belonging to the network indefinitely. As a result, simply changing passwords or locking compromised accounts is not enough. Our recommendation: carefully review all suspicious activity and use trusted security solutions.”
More at Kaspersky.com
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/