Phishing Attacks Hit More Than 400 Industrial Companies

Experts from Kaspersky Lab have detected a new wave of phishing emails with malicious attachments targeting at least 400 industrial companies, primarily in Russia. According to researchers, the main goal of the cybercriminals is to steal funds from the organizations’ accounts. This series of attacks began in September 2017 and is still ongoing, with the first similar incidents recorded as early as 2015.

Kaspersky Lab reports that around 800 computers belonging to employees of industrial companies have been attacked so far. The affected industries include oil and gas, metallurgy, engineering, energy, construction, mining, and logistics.

How the Attacks Work

Typically, the attackers send emails that appear to be legitimate business correspondence about payment for services, processing transactions, document reconciliation, and other financial matters. The malicious attachments are either packed in archives or, in some cases, missing altogether—in which case the user is prompted to follow a link to an external site to download the malware. The cybercriminals address each employee by their full name, craft personalized emails, and take into account the specifics of the targeted organizations.

Phishing Email Example

The malware used by the attackers installs modified remote administration software on the system, specifically TeamViewer or Remote Manipulator System (RMS). This gives the attackers control over the systems, and during the attacks, they use various techniques to hide the infection. Next, the attackers search for and study documents related to ongoing purchases and software used for accounting operations. The information they gather helps them carry out financial transactions. In particular, the criminals substitute payment details in payment orders, causing funds to be sent to third-party recipients instead of the intended ones.

If the attackers need additional data or capabilities after infecting a system, they download an extra set of malware tailored to the specifics of each victim. This may include spyware, additional remote administration utilities to expand control over infected systems, malware for exploiting vulnerabilities in the operating system and application software, as well as the Mimikatz utility, which allows them to obtain Windows account credentials.

Expert Commentary

“Cybercriminals have shown a clear interest in industrial companies. Based on our experience, we can assume this is related to the level of cybersecurity awareness among employees of the targeted organizations. Unfortunately, it is significantly lower than in other sectors of the economy, such as the financial services market,” said Vyacheslav Kopeytsev, antivirus expert at Kaspersky Lab.