A slew of new financial spear-phishing emails, disguised as legitimate procurement and accounting letters, have hit at least 400 industrial organisations, mostly in Russia.
Discovered by researchers at Kaspersky Lab, these attacks began in September last year, and targeted several hundreds of company PCs in industries ranging from oil and gas, to metallurgy, energy, construction, and logistics.
Although the attacks affected other organisations too, they were predominantly focused on industrial organisations. The e-mails contained malicious attachments, aimed at tricking unsuspecting users into giving away confidential data, which could be used to steal money from their accounts, or used in new attacks.
According to Kaspersky Lab, these e-mails targeted approximately 800 employee PCs, and were crafted to appear like genuine procurement and accounting letters, containing content that corresponded to the profile of the attacked organisations and taking into account the identity of the recipient of the letter.
"It is noteworthy that the attackers even addressed the targeted victims by name. This suggests that the attacks were carefully prepared and that criminals took the time to develop an individual letter for each user," says Kaspersky.
How it works
The malware used by these attackers installs legitimate remote administration software, TeamViewer or Remote Manipulator System/Remote Utilities (RMS), that enables the criminals to gain remote control of infected systems. Moreover, various techniques are used to hide the infection and the activity of malware installed in the system.
When attackers connect to a victim's computer, they search for and analyse purchase documents, as well as the financial and accounting software used, banking clients, and suchlike. Once they've done that, the criminals look for different ways to commit financial fraud, such as spoofing the bank details used to make payments.
In some cases, the attackers need additional data or capabilities after infecting a system, including privilege escalation, local administrator privileges, user authentication data, or Windows accounts for lateral movement. In these cases the attackers download an additional pack of malware to the system, which is specifically tailored to the attack on each individual victim.
This included spyware, additional remote administration tools that extend the control of attackers on infected systems and malware to exploit vulnerabilities in the operating system, as well as the Mimikatz tool that allows users to obtain data from Windows accounts.
Security awareness
Vyacheslav Kopeytsev, security expert at Kaspersky Lab, says the criminals were clearly interested in targeting Russian industrial companies.
"Based on our experiences, this is likely to be due to the fact that their level of cybersecurity awareness is not as high as it is in other markets such as financial services. That makes industrial companies a lucrative target for cybercriminals, not only in Russia, but across the world."
To avoid falling victim to spear phishing attacks, Kaspersky Lab recommends that users and businesses employ security solutions that have dedicated anti-phishing capabilities. The company also recommends introducing security awareness initiatives, such as gamified training with skills assessments and reinforcement through the repetition of simulated phishing attacks.
Share