Advanced Tactics of Cyber Espionage Campaigns Unveiled
Kaspersky Global Research and Analysis Team (GReAT) and the Industrial Control Systems Cyber Emergency Response Team (ICS CERT) have revealed significant developments in cyber espionage activities targeting Eastern European industrial companies using the updated MATA toolset. Months-long investigation uncovered sophisticated attack techniques, enhanced capabilities of updated malicious software, and a new infection chain.
In early September 2022, new malicious software samples associated with the MATA cluster previously linked to the Lazarus group were identified. This campaign, which targeted over a dozen Eastern European companies, lasted from mid-August 2022 to May 2023. Attackers used spear-phishing emails exploiting the CVE-2021-26411 vulnerability and downloaded executable malicious Windows files via web browsers.
The MATA infection chain had a complex structure integrating installer, main Trojan, and identity theft with rootkits and sensitive authentication processes. Internal IP addresses used as Command and Control (C&C) servers revealed a significant discovery that the attackers had integrated their control and infiltration systems into the infrastructure of the victims. Kaspersky promptly alerted affected organizations, enabling a swift response.
An attack initiated with a spear-phishing email for phishing identity in a factory infiltrated the network, endangering the main company's domain controller. The attackers then leveraged security vulnerabilities and rootkits to gain control over workstations and servers. In particular, they breached security solution panels to gather information and distribute malicious software to systems outside of subsidiary organizations and the corporate domain infrastructure.
Vyacheslav Kopeytsev, Senior Security Researcher at Kaspersky ICS CERT, said, "Protecting the industrial sector from targeted attacks requires a vigilant approach that combines proven cybersecurity practices with proactive thinking. Our experts at Kaspersky track the APT's evolution and anticipate their moves to detect new tactics and tools. Our commitment to cybersecurity research stems from our pledge to provide organizations critical information about ever-evolving cyber threats. By being informed and implementing the latest security measures, businesses can strengthen their defenses against such attackers and protect their networks and systems."
Kaspersky researchers recommend taking the following measures to avoid becoming a target of targeted attacks, whether by known or unknown threat actors:
''Ensure your SOC team has access to the latest Threat Intelligence. Kaspersky Threat Intelligence provides a common point of access to threat intelligence that includes data and insights on cyberattacks collected by Kaspersky for over 20 years. Strengthen your cybersecurity team with Kaspersky online training developed by GReAT experts to combat the latest targeted threats. Special solutions like Kaspersky Industrial CyberSecurity can serve as a valuable resource for continuous vulnerability assessment and triage in the effective vulnerability management process. Use EDR solutions like Kaspersky Endpoint Detection and Response for endpoint-level detection, investigation, and timely incident remediation. In addition to basic endpoint protection, deploy an enterprise-class security solution that detects advanced threats at the network level early, such as the Kaspersky Anti Targeted Attack Platform. As many targeted attacks begin with phishing or other social engineering techniques, train your team in security awareness and develop practical skills. This can be done, for example, through the Kaspersky Automatic Security Awareness Platform. We recommend that you take specialized training like Digital Forensics and Incident Response in the ICS field from Kaspersky ICS CERT to ensure your team, tools, and processes are ready for sophisticated incident response in your facility.''
Kaspersky will be participating in the Security Analyst Summit (SAS) 2023, taking place from October 25 to 28 in Phuket, Thailand, to delve deep into the future of cybersecurity.
The summit will bring together leading malware combat researchers, global law enforcement agencies, IT incident response teams, and top executives from the finance, technology, health, education, and public sector industries worldwide.
British News Agency