Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Spear Phishing Attacks Target Industrial Firms

Kaspersky Lab on Friday shared details of a targeted attack campaign against industrial organizations that began in late summer and is still ongoing.

Kaspersky Lab on Friday shared details of a targeted attack campaign against industrial organizations that began in late summer and is still ongoing.

The campaign, which Kaspersky Lab says began in August 2016, targeted several companies, including those in the smelting, power generation and transmission, construction, and engineering industries. 

Most of the organizations attacked in the campaigns are vendors of industrial automation solutions and system support contractors, such as companies that design, build and provide solutions for critical infrastructure, a blog post published on the recently launched Kaspersky Lab ICS CERT site explains.

In typical spear phishing fashion, the attackers sent emails containing various subject lines designed to lure targets and appear as though they were from a legitimate sender. 

Interestingly, analysis of the email headers revealed that most of them were sent from legitimate email addresses belonging to valid organizations.

“In some cases, the subject line contained the actual text used in an organization’s correspondence. That can only happen if the source emails were accessible to hackers and were, possibly, compromised earlier,” the report explained.  “The hackers could have accessed and read previous communications between the target and their partners. They may then have used this information to craft ‘legitimate’ email communications, so that the victim didn’t recognize the malicious aspect of the email.”

Attachments to the malicious emails included RTF files containing an exploit for the CVE-2015-1641 vulnerability, an older vulnerability in Microsoft Office that was patched in April 2015. According to a report from Sophos, CVE-2015-1641 is one of the most popular exploits targeting vulnerabilities in Microsoft Office to compromise systems. 

Advertisement. Scroll to continue reading.

As far as the malware used in the attacks, Kaspersky found that no new code was written specifically for this campaign, but cautioned that the malware used “specific VB and MSIL packers that can diminish the ability” of antivirus products to detect the malware.

After compromising systems, attackers used an array of tools that can be used to spy on users and steal sensitive data. Tools used include credential-stealing malware FareIT/Pony 2.0, Luminosity RAT (remote access Trojan), HawkEye Keylogger, ISR Stealer, NetWire RAT, and a variant of the Zeus banking malware called Zeus Atmos which can inject code into web web pages in order to steal data.

Based on data that Kaspersky has been able to gather since October 2016, roughly 500 organizations from 50 countries have been affected by the attack so far. The report did not say how many may organizations have been successfully compromised in the attacks. Additionally, the report does not suggest that any control system devices or OT networks had been compromised.

Additional details and a list of IOCs (Indicators of Compromise) are available on the Kaspersky ICS-CERT website.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference 

Related: One-Third of ICS Flaws Are Zero-Days When Disclosed

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.