Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Industrial Companies Targeted by Nigerian Cybercriminals

Industrial companies from around the world have been targeted in phishing attacks believed to have been launched by cybercriminals located in Nigeria, Kaspersky Lab reported on Thursday.

Industrial companies from around the world have been targeted in phishing attacks believed to have been launched by cybercriminals located in Nigeria, Kaspersky Lab reported on Thursday.

In October 2016, Kaspersky’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT) noticed a significant increase in malware infection attempts aimed at industrial organizations in the metallurgy, construction, electric power, engineering and other sectors. The security firm had observed attacks against 500 organizations in more than 50 countries.

The attacks started with spear phishing emails carrying documents set up to exploit an Office vulnerability (CVE-2015-1641) patched by Microsoft in April 2015. The phishing messages were well written and they purported to come from the victim’s suppliers, customers, or delivery services.

The malicious documents delivered a wide range of malware, including ZeuS, Pony, LokiBot, Luminosity RAT, NetWire RAT, HawkEye, ISR Stealer, and the iSpy keylogger. While the significant number of malware families used suggests that the emails could be part of multiple campaigns, there are some elements linking them together.

Researchers noticed that all malware samples delivered in the attacks were packed with VB and .NET packers. Furthermore, they all communicate with the same command and control (C&C) servers. This indicates that it’s either one group behind all attacks, or multiple threat actors are working together.

According to Kaspersky, many of the C&C domains mimicked the domains of industrial companies – the attackers either registered the same name on a different TLD or they registered a name that was very similar to the legitimate domain. In some cases, the cybercriminals breached the targeted organization’s website using stolen credentials and abused it to host malware and C&C servers.

Experts noted that a majority of the C&C domains used in these attacks were registered to residents of Nigeria.

The malware delivered in this campaign has helped the hackers steal data they can use for business email compromise (BEC) attacks, where attackers claim to represent a business partner or customer and trick the targeted organization’s employees into sending them significant amounts of money.

Advertisement. Scroll to continue reading.

The FBI reported last year that losses caused by BEC scams exceeded $3.1 billion. Nigerian cybercriminals have been running these types of schemes for several years now, but Kaspersky researchers believe they recently came to realize that targeting larger companies can be more lucrative and last year they turned their attention to industrial organizations.

“Nigerian phishing attacks are particularly dangerous for industrial companies. In the event of a successful attack, the company making a purchase not only loses money but also fails to receive the goods they need on time,” said Kaspersky researchers. “This can be critical for industrial companies: if the goods are raw materials used in manufacturing or spare parts needed to repair equipment, their non-delivery can result in downtime or failure to perform scheduled maintenance or commissioning and start-up work.”

Furthermore, experts pointed out that the malware used in these attacks has stolen a wide range of data, including files apparently coming from the workstations of operators, engineers, architects and designers. While it’s unclear if the theft of such files has been monetized, researchers noted that this can pose a serious threat. Kaspersky has also warned that cybercriminals could use their access to make unauthorized changes to industrial control systems (ICS).

Related: Learn More at SecurityWeek’s 2017 ICS Cyber Security Conference

Related: Targeted Attacks on Industrial Sector Increasingly Common

Related: Security Incidents Can Cost Industrial Firms $500K Per Year

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.