- Security researchers reportedly observed over 200 compromised systems so far during the campaign, which is still active.
- The files that attackers are after could contain trade secrets, design schematics, and other sensitive business information.
Hundreds of industrial companies across the globe were found to be on the targets of cyber-espionage activity from an advanced persistent threat (APT) campaign dubbed Gangnam Industrial Style.
What happened?
Recently, security researchers detected and reported an advanced persistent threat (APT) campaign targeting critical infrastructure equipment manufacturers worldwide.
- Malicious actors were found using industry sector-themed spear-phishing emails, and a combination of free tools to target victims.
- As reflected in their move, the goal of the Gangnam attackers is information theft is to steal passwords as well as collect documents from compromised systems.
- The files that attackers are after could contain trade secrets, design schematics, and other sensitive business information.
All such information helps adversaries plan future attacks, discover vulnerabilities in products, or favor their choice clients to gain a competitive advantage.
Information theft through known malware
- The malware used in the attack is a variant of Separ, that has been around since at least 2013.
- The new version was capable of searching systems for documents and images with certain extensions and upload them to an FTP server.
- As per researchers, victims were being targeted with meticulous phishing emails that masquerade as requests for quotation (RFQs) from the industrial sector and have malicious ZIP attachments.
- The rogue archives, disguised as PDF, contained malicious batch scripts.
It implies that the attackers did their homework well. The emails were sent with attachments of fake documents including power plant schematics, technical white papers, corporate profiles, etc to make them look more legitimate.
Target countries
- More than half of the targeted companies are based in South Korea.
- Victims were also detected in China, Thailand, Japan, Indonesia, Turkey, Germany, the UK and Ecuador.
- A security breach at a manufacturing firm in South Korea could disclose the information needed to attack its partners and customers around the globe.
- A Korean multi-billion-dollar conglomerate that makes heavy equipment for power transmission and distribution facilities, renewable energy, chemical plants, welding, and construction was also targeted.
The researchers noted over 200 compromised systems so far during the campaign, which is still active. The report was generated by industrial cybersecurity firm CyberX.
Final words
Companies from the industrial sector and security stakeholders must ensure that systems and industrial control networks are duly protected from unauthorized access. It is highly advisable to implement multi-factor authentication for remote access to prevent easy access to sensitive data.
“Our research indicates the Gangnam Industrial Style campaign is ongoing, because new stolen credentials are still being uploaded to the adversary’s C2 [command-and-control] server,” the CyberX researchers said in their report.