Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Phishing Email Targeting DigitalBond Linked to Other Campaigns

Earlier this week, an Industrial Control System (ICS) security assessment firm, DigitalBond, posted details on a Phishing attack that was targeting their company. Additional research into the attempt has linked the attackers to similar campaigns targeting defense contractors and universities.

Earlier this week, an Industrial Control System (ICS) security assessment firm, DigitalBond, posted details on a Phishing attack that was targeting their company. Additional research into the attempt has linked the attackers to similar campaigns targeting defense contractors and universities.

“It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished. Thankfully the attack was unsuccessful — paranoia pays off,” wrote DigitalBond’s Reid Wightman.

The email, reprinted fully within the DigitalBond blog post, used a mix of jargon and a PDF file related to ICS security in order to make an effort at legitimacy. If the attachment was accessed, the referenced material would be displayed as expected, but the attackers would also deliver malicious payloads to the system. A technical outline of the attack itself is available from IOActive and AlienVault.

After the technical analysis, the campaign against DigitalBond presented the bigger picture; they were but one potential victim in a larger pool.

“We have identified that the group behind these attacks is using hacked web servers to host the malicious configuration files. Based on the networks hosting the C&C ips (mainly universities), it is very likely that these servers are also hacked and some kind of proxy is installed on them to redirect the traffic to the real C&C server,” AlienVault’s Jaime Blasco explained.

The potential (and likely) list of victims and confirmed targets are a diverse group. In addition to DigitalBond, the list includes NJVC (a DOD Contractor), the Chertoff Group, customers of Equifax’s Anakam two factor authentication, attendees of the IT SCC meeting, Carnegie Mellon University, Purdue University, and the University of Rhode Island.

“Despite the fact that attribution is the most polemic task nowadays, we would like to note that code, tricks and certain infrastructure usually present in the Chinese hacking scene have been identified in this campaign,” added IOActive’s Ruben Santamarta.

With that said, analysis from the Shadowserver Foundation has linked the attacks to McAfee’s Shady RAT operation.

Advertisement. Scroll to continue reading.

However, the case is still open, according to DigitalBond’s Dale Peterson. “Everyone who is looking at it says China. That said, if you were good at malware development and analysis, you could mimic another’s attack technique to throw them off the scent,” he wrote.

“Obviously it has raised our already high attention on our individual system’s integrity, and our hope is it will get others in the ICS to pay attention. If someone is bothering to target little Digital Bond, there is a good chance they are also targeting critical infrastructure owner/operators and vendors where the return on effort is much better.”

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture