Kaspersky has recently concluded an investigation into cyber attacks targeting the industrial sector in Eastern Europe. The investigation has revealed the employment of advanced tactics, techniques, and procedures (TTPs) by threat actors to compromise industrial organizations in the region. Industries such as manufacturing, industrial control system (ICS) engineering and integration have been particularly affected, emphasizing the urgent need for enhanced cybersecurity preparedness.
During the investigation, Kaspersky uncovered a series of targeted attacks with the objective of establishing a permanent channel for data exfiltration. These campaigns exhibited significant resemblances to previously researched attacks, such as ExCone and DexCone, suggesting the involvement of APT31, also known as Judgment Panda and Zirconium.
The investigation unveiled the use of advanced implants designed for remote access, showcasing the threat actors’ extensive knowledge and expertise in bypassing security measures. These implants enabled the establishment of persistent channels for data exfiltration, including from highly secure systems.
Notably, the threat actors were extensively using DLL Hijacking techniques again (that is abusing legitimate 3-d party executables, that are vulnerable to loading malicious dynamic linked libraries into their memory) to try and avoid detection while running multiple implants used during 3 attack stages.
Cloud-based data storage services like Dropbox and Yandex Disk, as well as temporary file-sharing platforms, have been used to exfiltrate data and deliver subsequent malware. They also deployed command and control (C2) infrastructure on Yandex Cloud as well as on regular virtual private servers (VPS) to maintain control over compromised networks.
Within these attacks, new variants of the FourteenHi malware were implemented. Originally discovered in 2021 during the ExCone campaign targeting government entities, this malware family has since evolved, with new variants surfacing in 2022 to target specifically the infrastructure of industrial organizations.
Additionally, a novel malware implant, dubbed MeatBall, was discovered during the investigation. This backdoor implant possesses extensive remote access capabilities.
“We cannot underestimate the significant risks posed to industrial sectors by the targeted attacks they face. As organizations continue to digitize their operations and rely on interconnected systems, the potential consequences of successful attacks on critical infrastructure are undeniable. This analysis emphasizes the critical importance of implementing resilient cybersecurity measures to protect industrial infrastructure against existing and future threats,” comments Kirill Kruglov, Senior Security Researcher at Kaspersky ICS CERT.