ICS security firms targeted in phishing campaign

Powered by SC Magazine
 

Defence contractors, universities primed.

Organisations focused on industrial control system (ICS) security have been hit with sophisticated phishing attacks designed to implant malware and steal data.

The attacks, against universities and defence contractors, came to light after staff at ICS security consultancy Digital Bond received a phishing email purporting to have been sent from the company’s boss, Dale Peterson.

Digital Bond provides security advice for large operators of the security systems.

Attackers pasted text from an email Peterson had previously sent and booby-trapped a PDF attachment of his 2009 paper on vulnerabilities in distributed control system field devices. 

The phishing email

Peterson said it was concerning that the attackers had targeted an ICS-specific organisation.

"The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server," he said.

The phishing email was recieved by a Digital Bond contractor who had forwarded it to Peterson. The malicious attachment was not opened by staff, Peterson said.

The payload embedded in the document was detected by only seven of 42 anti-virus systems, indicating attackers had held the malware for use in the attacks.

Shadowserver’s Ned Moran said hacked servers were used for command and control through which remote access tool (RAT) Dalbot.gen was served onto infected machines.

That tool resembled a RAT used in the ShadyRAT attacks against similar targets, further research by AlienVault’s James Blasco found.

ShadyRAT was a five-year espionage campaign reportedly launched from China-based attackers against defence contractors and government agencies, among other targets.

Blasco and IOActive’s Ruben Santamarta discovered the attacks were part of a campaign targeting multiple ICS firms over several months.

They detailed a series of malicious and benign files that were distributed under the campaign, revealing possible targets including Purdue, Rhode Island and Carnegie Mellon universities, defence contractor NJVC and government consultancy Chertoff Group.

The campaign displayed characteristics pointing to China-based attackers.

“According to the information collected, the targets of these campaigns are somehow related with the US Government or US defense contractors directly, providing different services such as authentication software/hardware, ICS security, or strategic consulting,” Santamarta said.

“Despite the fact that attribution is the most polemic task nowadays, we would like to note that code, tricks and certain infrastructure usually present in the Chinese hacking scene have been identified in this campaign.”

Copyright © SC Magazine, Australia


ICS security firms targeted in phishing campaign
 
 
 
Top Stories
Photos: iTnews Benchmark Awards countdown begins
Just a few days left until entries close for 2014.
 
Australian Govt to rethink cyber security strategy
Six-year old policy to be refreshed.
 
The failure of the antivirus industry
[Blog post] Insights from AVAR 2014.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  3%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  7%
 
A retailer (Coles, Woolworths et al)
  2%
 
A Federal Government agency (ATO, Centrelink etc)
  20%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  5%
TOTAL VOTES: 1059

Vote