Kaspersky discovers that Nigerian phishing scammers targeting industrial companies steal IP and network plans

Kaspersky Lab reported this week by its Industrial Control Systems Cyber Emergency Response Team (ICS CERT), which found attackers behind a recent surge in phishing attacks on industrial companies are stealing victims’ project and operational plans, as well as diagrams of electrical and information networks. These purposeful actions raise concerns for experts about the cybercriminals’ future intentions.

Late last year, late 2016, the Kaspersky Lab ICS CERT reported on phishing attacks that were primarily targeting industrial companies from the metallurgy, electric power, construction, engineering and other sectors. As further research demonstrated, this was just part of a bigger story that began much earlier and is unlikely to end any time soon.

In October 2016, Kaspersky Lab products detected a surge in malware infection attempts on the computers of our customers who had industrial control systems installed. The malware used in these attacks was a specific modification of an exploit for a vulnerability dating back to 2015. Further analysis of the incident led the company to phishing messages disguised as business correspondence that were used to distribute the exploit.

Phishers have long since discovered the advantages of attacking companies (they obviously have much more money in their accounts than ordinary users and they usually conduct much larger transactions than individuals). The emails used in such attacks are made to look as legitimate as possible so that the employees who receive them open the accompanying malicious attachments without giving them much thought.

In this case, Kaspersky is dealing with phishing messages that targeted not only commercial organizations but, in most cases, industrial enterprises. The security company discovered over 500 attacked companies in more than 50 countries. Most of these companies are industrial enterprises and large transportation and logistics corporations.

Kaspersky Lab ICS CERT is a special Kaspersky Lab project that will offer a variety of information services, starting from the intelligence on the latest threats and security incidents with mitigation strategies and all the way up to incident response and investigation consultancy and services. In addition to the latest intelligence about threats and vulnerabilities, Kaspersky Lab’s Industrial CERT will share expertise on compliance. Being a non-commercial project, ICS CERT will share information and expertise to its members free of charge.

The emails were sent on behalf of various companies that did business with potential victims: suppliers, customers, commercial organizations and delivery services. The emails asked recipients to check information in an invoice as soon as possible, clarify product pricing or receive goods specified in the delivery note attached.

The phishers clearly tried hard to make their fake messages look very convincing to the employees of targeted companies. Kaspersky has seen attachments with names such as “Energy & Industrial Solutions W.L.L_pdf”, “Woodeck Specifications best Prices Quote.uue” and “Saudi Aramco Quotation Request for October 2016”.

The attack sequence begins with a carefully crafted phishing email, appearing to come from suppliers, customers, commercial organizations and delivery services. The attackers use malware belonging to at least eight different Trojan-spy and backdoor families, all available cheaply on the black market, and designed primarily to steal confidential data and install remote administration tools on infected systems.

On infected corporate computers, the attackers take screenshots of correspondence or redirect messages to their own mail box so they can look out for lucrative transactions. The payment is then intercepted through a classic man-in-the-middle attack, by replacing the account details in a legitimate seller’s invoice with the attackers’ own.

While analyzing the command-and-control servers used in the most recent 2017 attacks, the researchers noted that screenshots of operations and project plans, as well as technical drawings and network diagrams were among the data stolen. Further, these images had not been taken from the computers of project managers or procurement managers, the attackers’ usual targets, but from those belonging to operators, engineers, designers and architects.

“There is no need for the attackers to collect this kind of data in order to perpetrate their phishing scams, said Maria Garnaeva, Senior Security Researchers, Critical Infrastructure Threat Analysis, Kaspersky Lab. “What are they doing with this information? Is the collection accidental, or intentional, perhaps commissioned by a third party? So far, we have not seen any of the information stolen by Nigerian cybercriminals on the black market; however, it is clear that for the companies being attacked, in addition to the direct financial loss, a Nigerian phishing attack poses other, possibly more serious, threats.”

The next step could be for attackers to gain access to the computers that form part of an industrial control system, where any interception or adjustment of settings could have a devastating impact.

When the researchers extracted the command and control (C&C) addresses from the malicious files, it turned out that in some cases the same servers were used for malware from different families. This suggests there is either one cybercriminal group behind all the attacks, making use of different malware, or a number of groups cooperating and sharing resources. The researchers also found that most domains were registered to residents of Nigeria.


Leave a Reply

WWPI – Covering the best in IT since 1980