An analysis of a phishing email sent to a company that specializes in assessing industrial control systems is connected to a larger campaign likely originating from overseas through a well-disguised chain of command-and-control servers.
An unsuccessful spear-phishing attempt
against a company specializing in assessing industrial control systems is tied
to a larger campaign believed to be emanating from China, security researchers
Last week, it was revealed that an employee
of Digital Bond had received an email from an account meant to impersonate CEO
Dale Peterson. The message linked to a .zip file based on an old research paper
the company had published.
Further analysis by researchers at AlienVault
and IOActive connects the perpetrators of the attack to attacks against other
"Using the information extracted from
the binaries and the servers involved on the attack, we were able to [identify]
more files and campaigns launched by this group during the last months,"
explained Jaime Biasco, labs manager at AlienVault, in
a blog post.
Among the targets in those attacks were the
Japan Network Information Center and the Hong Kong University of Science and
"We have identified that the group
behind these attacks is using hacked Web servers to host the malicious
configuration files," Biasco added. "Based on the networks hosting
the C&C [command-and-control] IPs (mainly universities), it is very likely
that these servers are also hacked and some kind of proxy is installed on them
to redirect the traffic to the real C&C server. This can be easily
[achieved] using HTran or other similar software commonly used by Chinese
hacker groups in this kind of campaign."
Other targets of these attacks include
targets related to the U.S. government or U.S. defense contractors directly,
providing different services, such as authentication software/hardware, industrial
control systems security or strategic consulting, explained
, a researcher for IOActive.
Despite the difficulty in trying to confirm
the true source of these attacks, we would like to note that code, tricks and
certain infrastructure usually present in the Chinese hacking scene have been
identified in this campaign," he blogged.
When the malicious .zip file was
by the Shadowserver Foundation, researchers concluded the attack
patterns were similar to what was uncovered in the Shady Rat campaign revealed
by McAfee in 2011. According to McAfee's research, Shady Rat's roots trace back
to 2006 and have affected scores of organizations ranging from defense
contractors to the United Nations.
According to Shadowserver's Ned Moran, the
similarities between Shady Rat and the attack on Digital Bond include the use
of encoded commands hidden in otherwise normal-looking Web pages, as well as an
overlap in the C&C infrastructure used in this attack with previous Shady
The malware used in the attack was hosted on
research.digitalvortex.com. Once a system is infected, the malware is designed
to create a backdoor and connect to a C&C server at hint.happyforever.com.
"It's a bit concerning that a company
whose sole focus is securing industrial control systems should be spear-phished,"
blogged Reid Wightman, a Digital Bond security consultant. "The attacker
clearly went to enough trouble to try to understand ICS security lingo to get
the employee to open the link, and had to compromise a DNS server. ...
Thankfully, the attack was unsuccessfulparanoia pays off. It is definitely a
lesson in be careful what you open ... even if looks to be coming from
Digital Bond (or your boss, as in this case), dont open a file if you arent