Spear-Phishing Attack on Industrial Consulting Firm Linked to Larger Campaign

An analysis of a phishing email sent to a company that specializes in assessing industrial control systems is connected to a larger campaign likely originating from overseas through a well-disguised chain of command-and-control servers.

An unsuccessful spear-phishing attempt against a company specializing in assessing industrial control systems is tied to a larger campaign believed to be emanating from China, security researchers say.

Last week, it was revealed that an employee of Digital Bond had received an email from an account meant to impersonate CEO Dale Peterson. The message linked to a .zip file based on an old research paper the company had published.

Further analysis by researchers at AlienVault and IOActive connects the perpetrators of the attack to attacks against other organizations.

"Using the information extracted from the binaries and the servers involved on the attack, we were able to [identify] more files and campaigns launched by this group during the last months," explained Jaime Biasco, labs manager at AlienVault, in a blog post.

Among the targets in those attacks were the Japan Network Information Center and the Hong Kong University of Science and Technology.

"We have identified that the group behind these attacks is using hacked Web servers to host the malicious configuration files," Biasco added. "Based on the networks hosting the C&C [command-and-control] IPs (mainly universities), it is very likely that these servers are also hacked and some kind of proxy is installed on them to redirect the traffic to the real C&C server. This can be easily [achieved] using HTran or other similar software commonly used by Chinese hacker groups in this kind of campaign."

Other targets of these attacks include targets related to the U.S. government or U.S. defense contractors directly, providing different services, such as authentication software/hardware, industrial control systems security or strategic consulting, explained Ruben Santamarta, a researcher for IOActive.

Despite the difficulty in trying to confirm the true source of these attacks, €œwe would like to note that code, tricks and certain infrastructure usually present in the Chinese hacking scene have been identified in this campaign," he blogged.

When the malicious .zip file was analyzed by the Shadowserver Foundation, researchers concluded the attack patterns were similar to what was uncovered in the Shady Rat campaign revealed by McAfee in 2011. According to McAfee's research, Shady Rat's roots trace back to 2006 and have affected scores of organizations ranging from defense contractors to the United Nations.

According to Shadowserver's Ned Moran, the similarities between Shady Rat and the attack on Digital Bond include the use of encoded commands hidden in otherwise normal-looking Web pages, as well as an overlap in the C&C infrastructure used in this attack with previous Shady RAT attacks.

The malware used in the attack was hosted on research.digitalvortex.com. Once a system is infected, the malware is designed to create a backdoor and connect to a C&C server at hint.happyforever.com.

"It's a bit concerning that a company whose sole focus is securing industrial control systems should be spear-phished," blogged Reid Wightman, a Digital Bond security consultant. "The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server. ... Thankfully, the attack was unsuccessful€”paranoia pays off. It is definitely a lesson in €˜be careful what you open€™ ... even if looks to be coming from Digital Bond (or your boss, as in this case), don€™t open a file if you aren€™t expecting it."