Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Russian Hacker Group Continues Stealing Money From Industrial Enterprises

A Russian-speaking threat actor has been targeting hundreds of industrial enterprises for more than two years, Kaspersky’s security researchers report.

A Russian-speaking threat actor has been targeting hundreds of industrial enterprises for more than two years, Kaspersky’s security researchers report.

Focused on companies in Russia, the ongoing attacks are highly targeted, leveraging phishing emails for malware deployment. In some cases, legitimate documents that were stolen in previous attacks are leveraged for social engineering.

Another characteristic of these attacks is the use of remote administration utilities, including Remote Manipulator System/Remote Utilities (RMS) and TeamViewer. Malware is employed to hide the user interface of these programs, to avoid attracting attention.

The campaign was first detailed in 2018, when Kaspersky said that more than 400 organizations had been hit. Now, the security researchers reveal that the attackers have updated their techniques and that the number of victim organizations has increased.

Specifically, the adversary switched to using the web interface of RMS’s cloud infrastructure as a notification channel for getting the infected machine’s TeamViewer ID, instead of the malware command and control servers. In an ongoing attack, spyware and Mimikatz have been employed for credential theft.

Pretending to be business partners of the targeted organization, the hackers ask their intended victims to review attached documents. The emails are individually crafted for each victim and the attachments are password-protected, to prevent scanning by anti-virus engines.

The attachment contains obfuscated JavaScript scripts and legitimate PDF files. In recent attacks, the hackers started using actual documents related to the organization’s activity, including scanned copies of memos, letters, and procurement documentation forms, seemingly stolen in earlier attacks.

The JavaScript script would launch the malware, which installs a version of TeamViewer, as well as additional malware when more information needs to be collected from the target machine. In previous attacks, the hackers employed malicious DLLs to hide TeamViewer’s user interface and keep the attack out of sight.

Advertisement. Scroll to continue reading.

Payloads fetched by the malicious scripts are stored on resources mimicking the websites of Russian-speaking companies, Kaspersky says.

Victims of these attacks include Russian companies from the manufacturing, oil and gas, metal industry, engineering, energy, construction, mining, and logistics sectors. The attackers appear to have a particular interest in the energy sector.

The purpose of the campaign is to steal money from the targeted organizations and Kaspersky believes that a Russian-speaking group is behind it. The adversary gains complete control of the target systems, after which they start looking for financial and accounting software and relevant documents, which are used to commit financial fraud.

“Clearly, the attackers’ remote access to infected systems also poses other threats, such as the organization’s sensitive data being leaked, systems being put out of operation, etc. As the latest events have shown, the attackers use documents that were probably stolen from organizations to carry out subsequent attacks, including attacks on victim companies’ partners,” Kaspersky concludes.

Related: Phishing Campaign Targets 400 Industrial Organizations

Related: Most Security Pros Prefer Enterprise Over Industrial Cybersecurity: Survey

Related: Industrial Suppliers in Japan, Europe Targeted in Sophisticated Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.