Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Industrial Companies Targeted by Nigerian Cybercriminals

Industrial companies from around the world have been targeted in phishing attacks believed to have been launched by cybercriminals located in Nigeria, Kaspersky Lab reported on Thursday.

Industrial companies from around the world have been targeted in phishing attacks believed to have been launched by cybercriminals located in Nigeria, Kaspersky Lab reported on Thursday.

In October 2016, Kaspersky’s Industrial Control Systems Cyber Emergency Response Team (ICS CERT) noticed a significant increase in malware infection attempts aimed at industrial organizations in the metallurgy, construction, electric power, engineering and other sectors. The security firm had observed attacks against 500 organizations in more than 50 countries.

The attacks started with spear phishing emails carrying documents set up to exploit an Office vulnerability (CVE-2015-1641) patched by Microsoft in April 2015. The phishing messages were well written and they purported to come from the victim’s suppliers, customers, or delivery services.

The malicious documents delivered a wide range of malware, including ZeuS, Pony, LokiBot, Luminosity RAT, NetWire RAT, HawkEye, ISR Stealer, and the iSpy keylogger. While the significant number of malware families used suggests that the emails could be part of multiple campaigns, there are some elements linking them together.

Researchers noticed that all malware samples delivered in the attacks were packed with VB and .NET packers. Furthermore, they all communicate with the same command and control (C&C) servers. This indicates that it’s either one group behind all attacks, or multiple threat actors are working together.

According to Kaspersky, many of the C&C domains mimicked the domains of industrial companies – the attackers either registered the same name on a different TLD or they registered a name that was very similar to the legitimate domain. In some cases, the cybercriminals breached the targeted organization’s website using stolen credentials and abused it to host malware and C&C servers.

Experts noted that a majority of the C&C domains used in these attacks were registered to residents of Nigeria.

The malware delivered in this campaign has helped the hackers steal data they can use for business email compromise (BEC) attacks, where attackers claim to represent a business partner or customer and trick the targeted organization’s employees into sending them significant amounts of money.

Advertisement. Scroll to continue reading.

The FBI reported last year that losses caused by BEC scams exceeded $3.1 billion. Nigerian cybercriminals have been running these types of schemes for several years now, but Kaspersky researchers believe they recently came to realize that targeting larger companies can be more lucrative and last year they turned their attention to industrial organizations.

“Nigerian phishing attacks are particularly dangerous for industrial companies. In the event of a successful attack, the company making a purchase not only loses money but also fails to receive the goods they need on time,” said Kaspersky researchers. “This can be critical for industrial companies: if the goods are raw materials used in manufacturing or spare parts needed to repair equipment, their non-delivery can result in downtime or failure to perform scheduled maintenance or commissioning and start-up work.”

Furthermore, experts pointed out that the malware used in these attacks has stolen a wide range of data, including files apparently coming from the workstations of operators, engineers, architects and designers. While it’s unclear if the theft of such files has been monetized, researchers noted that this can pose a serious threat. Kaspersky has also warned that cybercriminals could use their access to make unauthorized changes to industrial control systems (ICS).

Related: Learn More at SecurityWeek’s 2017 ICS Cyber Security Conference

Related: Targeted Attacks on Industrial Sector Increasingly Common

Related: Security Incidents Can Cost Industrial Firms $500K Per Year

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.