Earlier this week, an Industrial Control System (ICS) security assessment firm, DigitalBond, posted details on a Phishing attack that was targeting their company. Additional research into the attempt has linked the attackers to similar campaigns targeting defense contractors and universities.
“It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished. Thankfully the attack was unsuccessful — paranoia pays off,” wrote DigitalBond’s Reid Wightman.
The email, reprinted fully within the DigitalBond blog post, used a mix of jargon and a PDF file related to ICS security in order to make an effort at legitimacy. If the attachment was accessed, the referenced material would be displayed as expected, but the attackers would also deliver malicious payloads to the system. A technical outline of the attack itself is available from IOActive and AlienVault.
After the technical analysis, the campaign against DigitalBond presented the bigger picture; they were but one potential victim in a larger pool.
“We have identified that the group behind these attacks is using hacked web servers to host the malicious configuration files. Based on the networks hosting the C&C ips (mainly universities), it is very likely that these servers are also hacked and some kind of proxy is installed on them to redirect the traffic to the real C&C server,” AlienVault’s Jaime Blasco explained.
The potential (and likely) list of victims and confirmed targets are a diverse group. In addition to DigitalBond, the list includes NJVC (a DOD Contractor), the Chertoff Group, customers of Equifax's Anakam two factor authentication, attendees of the IT SCC meeting, Carnegie Mellon University, Purdue University, and the University of Rhode Island.
“Despite the fact that attribution is the most polemic task nowadays, we would like to note that code, tricks and certain infrastructure usually present in the Chinese hacking scene have been identified in this campaign,” added IOActive’s Ruben Santamarta.
With that said, analysis from the Shadowserver Foundation has linked the attacks to McAfee’s Shady RAT operation.
However, the case is still open, according to DigitalBond’s Dale Peterson. “Everyone who is looking at it says China. That said, if you were good at malware development and analysis, you could mimic another’s attack technique to throw them off the scent,” he wrote.
“Obviously it has raised our already high attention on our individual system’s integrity, and our hope is it will get others in the ICS to pay attention. If someone is bothering to target little Digital Bond, there is a good chance they are also targeting critical infrastructure owner/operators and vendors where the return on effort is much better.”