A wave of spear phishing attacks has gained the attention of security researchers because the message targets individuals that have an interest in industrial control system security.
The targets of these campaigns are somehow related with the U.S. government or U.S. Department of Defense contractors directly, providing different services, such as authentication software/hardware, industrial control systems security, or strategic consulting.
Ruben Santamarta, researcher, IOActive
The spear phishing attacks appear to be a part of a broad campaign targeting U.S. defense contractors, several universities and security firms. The malware operates as a remote access tool and initially was detected by only a minimal number of antivirus vendors.
The attack was first made public by Digital Bond Inc., which conducts security assessments on industrial control systems. The company provided an image of the malicious spear phishing message. An employee at the firm received an email containing a malicious .zip file made to look like a legitimate Adobe PDF file. Researchers at several other security firms, including AlienVault LLC and IOActive Inc., reported a similar attack.
“The trick used is nothing new or exciting, but unfortunately, sometimes is enough to trick the victim into running the malware because the file poses as a PDF file,” wrote Ruben Santamarta, a researcher at Seattle, Wash.-based IOActive. Santamarta dissected the attack in an attempt to reveal the intentions behind the authors of the message. “According to the information collected, the targets of these campaigns are somehow related with the U.S. government or U.S. Department of Defense contractors directly, providing different services, such as authentication software/hardware, industrial control systems security, or strategic consulting.”
Santamarta concluded the techniques and details of the command-and-control infrastructure point to hackers based in China.
Spear phishing attacks targeting high-profile targets, such as businesses in the energy and defense sectors are common and constant, experts say. Last year researchers unveiled a cyberespionage operation called the Night Dragon attacks designed to steal intellectual property from oil, energy and petrochemical companies. Researchers at McAfee Inc. said the attacks were first discovered in 2009 and shed light on the need to better secure critical infrastructure, including systems that run oil and chemical refineries and power plants.
Researchers continue to analyze the latest round of spear phishing attacks. Jaime Blasco of Campbell, Calif.-based AlienVault shared details of the malware analysis,indicating the spear phishing attacks have been ongoing over the last several months. The attackers behind the campaign appear to be dropping additional files to give them more capabilities on infected systems.
“We have identified that the group behind these attacks is using hacked Web servers to host the malicious configuration files,” Blasco wrote.