Industrial companies from around the world have been targeted in phishing attacks believed to have been launched by cybercriminals located in Nigeria, Kaspersky Lab reported on Thursday.
In October 2016, Kaspersky’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT) noticed a significant increase in malware infection attempts aimed at industrial organizations in the metallurgy, construction, electric power, engineering and other sectors. The security firm had observed attacks against 500 organizations in more than 50 countries.
The attacks started with spear phishing emails carrying documents set up to exploit an Office vulnerability (CVE-2015-1641) patched by Microsoft in April 2015. The phishing messages were well written and they purported to come from the victim’s suppliers, customers, or delivery services.
The malicious documents delivered a wide range of malware, including ZeuS, Pony, LokiBot, Luminosity RAT, NetWire RAT, HawkEye, ISR Stealer, and the iSpy keylogger. While the significant number of malware families used suggests that the emails could be part of multiple campaigns, there are some elements linking them together.
Researchers noticed that all malware samples delivered in the attacks were packed with VB and .NET packers. Furthermore, they all communicate with the same command and control (C&C) servers. This indicates that it’s either one group behind all attacks, or multiple threat actors are working together.
According to Kaspersky, many of the C&C domains mimicked the domains of industrial companies – the attackers either registered the same name on a different TLD or they registered a name that was very similar to the legitimate domain. In some cases, the cybercriminals breached the targeted organization’s website using stolen credentials and abused it to host malware and C&C servers.
Experts noted that a majority of the C&C domains used in these attacks were registered to residents of Nigeria.
The malware delivered in this campaign has helped the hackers steal data they can use for business email compromise (BEC) attacks, where attackers claim to represent a business partner or customer and trick the targeted organization’s employees into sending them significant amounts of money.
The FBI reported last year that losses caused by BEC scams exceeded $3.1 billion. Nigerian cybercriminals have been running these types of schemes for several years now, but Kaspersky researchers believe they recently came to realize that targeting larger companies can be more lucrative and last year they turned their attention to industrial organizations.
“Nigerian phishing attacks are particularly dangerous for industrial companies. In the event of a successful attack, the company making a purchase not only loses money but also fails to receive the goods they need on time,” said Kaspersky researchers. “This can be critical for industrial companies: if the goods are raw materials used in manufacturing or spare parts needed to repair equipment, their non-delivery can result in downtime or failure to perform scheduled maintenance or commissioning and start-up work.”
Furthermore, experts pointed out that the malware used in these attacks has stolen a wide range of data, including files apparently coming from the workstations of operators, engineers, architects and designers. While it’s unclear if the theft of such files has been monetized, researchers noted that this can pose a serious threat. Kaspersky has also warned that cybercriminals could use their access to make unauthorized changes to industrial control systems (ICS).
Related: Learn More at SecurityWeek’s 2017 ICS Cyber Security Conference
Related: Targeted Attacks on Industrial Sector Increasingly Common
Related: Security Incidents Can Cost Industrial Firms $500K Per Year