APT group takes over IT infrastructure

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 12 Aug 2022

A wave of targeted attacks on military-industrial complex enterprises and public institutions in several Eastern European countries and in Afghanistan have been witnessed by Kaspersky researchers.

In these instances, the bad actors were able to take control of victims’ entire IT infrastructure, in order to commit industrial espionage.

In January this year, the researchers noted several advanced attacks on military enterprises and public organisations. The attackers’ motive was to access entities’ private information and to gain control over their IT systems.

The malware being used by the attackers is similar to the one deployed by TA428 APT, a Chinese-speaking APT group.

Careful research

The malefactors infiltrate enterprise networks by sending cunningly crafted phishing e-mails, some of which contain information specific to the target organisation that was not publicly available at the time when e-mails were sent. This shows that the criminals behind these attacks are well prepared, and are selecting their targets in advance.

The phishing e-mails include a Microsoft Word document with malicious code to exploit a vulnerability that exists in outdated versions of the Microsoft Equation Editor, a component of Microsoft Office. It allows a threat actor to execute arbitrary code without any additional activity.

In addition, the attackers employed six different backdoors at once, to set up additional communication channels with infected systems in the event that one of the malicious programs was detected and removed by a security solution.

Controlling infected systems

The backdoors provide extensive functionality for controlling infected systems and exfiltrating proprietary data.

The final stage of the attack sees the criminals hijacking the domain controller and gaining complete control of all the company’s workstations and servers. In one instance, they even managed to take over the cyber security solutions control centre.

Once they had gained domain administrator privileges and access to the Active Directory, the bad actors ran the 'golden ticket' attack to impersonate organisations’ arbitrary user accounts and look for the documents and other files that contain the data they are after, which they then exfiltrate to the attackers’ servers hosted in a range of countries.

Vyacheslav Kopeytsev, a security expert at Kaspersky ICS CERT, says golden ticket attacks take advantage of the default authentication protocol which has been used since the availability of Windows 2000.“By forging Kerberos Ticket Granting Tickets (TGTs) within the corporate network, the attackers can independently access any service that belongs to the network for an unlimited time. As a result, just changing passwords or blocking compromised accounts won’t be enough. Our advice is to check carefully all suspicious activity and rely on trustworthy security solutions,” he adds.

Protect IT infrastructure too

To protect ICS computers from various threats, Kaspersky experts recommend that businesses regularly update operating systems and application software that are part of the enterprise’s network, and to apply security fixes and patches to IT and OT network equipment as soon as they are available.

In addition, Kaspersky advises conducting regular security audits of IT and OT systems to identify and eliminate possible vulnerabilities and use ICS network traffic monitoring, analysis, and detection solutions for better protection from attacks that potentially threaten technological processes and main enterprise assets.

Also, implement dedicated security training for IT security teams and OT engineers, to improve response to new and advanced malicious techniques, and provide security teams responsible for protecting industrial control systems with up-to-date threat intelligence.

Finally, use security solutions for OT endpoints and networks to ensure comprehensive protection for all industry-critical systems, and protect IT infrastructure as well.