Industrial sector companies in Eastern Europe were attacked by a threat actor using advanced implants and novel malware. Cloud-based data storage services have been used to exfiltrate data and then proliferate malware.
Kaspersky has uncovered a series of targeted attacks on industrial companies in Eastern Europe aimed at establishing a persistent channel for data exfiltration. These attacks shared significant similarities with previously studied attacks such as ExCone and DexCone; this suggests the involvement of APT31, also known as Judgment Panda and Zirconium.
The attacks used advanced implants designed to allow remote access, demonstrating the threat actors' extensive knowledge and experience in evading security measures. These helped set up permanent channels for data exfiltration – even from highly secure systems
Data exfiltration through cloud storage services
In addition, DLL hijacking techniques were used extensively, allowing misuse of legitimate third party executables that are vulnerable to loading malicious dynamically linked libraries into their memory. This should prevent detection during the execution of multiple implants in the three attack phases.
Cloud storage services such as Dropbox and Yandex Disk and temporary file-sharing platforms were used to exfiltrate the data and then distribute malware. Further, the threat actors deployed command and control (C2) infrastructure on Yandex Cloud as well as on regular Virtual Private Servers (VPS) to maintain control over compromised networks.
New variants of the FourteenHi malware target industrial companies
The attacks also implemented new variants of the FourteenHi malware, which was discovered back in 2021 during the ExCone campaign targeting government agencies. This has evolved since then; over the past year, new variants have appeared that are specifically aimed at the infrastructure of industrial companies. Kaspersky's experts also found the new type of malware implant MeatBall. This is a backdoor implant that has extensive remote access capabilities.
"We must not underestimate the risks posed to the industry by targeted attacks," said Kirill Kruglov, senior security researcher at Kaspersky ICS CERT. “Companies continue to digitize their processes and are dependent on networked systems. The potential consequences of successful attacks on critical infrastructure are significant. This APT campaign we examined underscores the critical importance of comprehensive cybersecurity measures to protect industrial infrastructures from current and future threats.”
Kaspersky recommendations for protecting operational technology
- Conduct regular security assessments of the OT systems to identify and eliminate potential cyber security issues.
- Establish continuous vulnerability assessment and triage as the basis for an effective vulnerability management process. Dedicated solutions such as Kaspersky Industrial CyberSecurity provide unique actionable intelligence that is not fully publicly available and can help protect systems.
- Make timely updates to the key components of the OT network. Applying security fixes and patches and implementing countermeasures as soon as technically possible is crucial to prevent a serious incident.
- Use an EDR solution such as Kaspersky Endpoint Detection and Response to detect, investigate, and remediate incidents in a timely manner.
- Conduct dedicated OT security training for IT security teams and OT personnel to enable the team to prevent, detect and respond to incidents.
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/