CyberX researchers have uncovered an advanced persistent threat (APT) program targeting manufacturers of critical infrastructure equipment and other manufacturing companies largely in South Korea by using industry-themed spear-phishing emails and a free tool combination. This strategy works into the cyberespionage attackers ‘living off the land’ phenomenon, their dependency on custom and exclusive malware programs that can be credited to them in favor of publicly available dual-use tools.
According to CyberX, this program, called’ Gangnam Industrial Style,’ has already infected at least 200 networks, approximately 60% of which are based in South Korea. The victims include a manufacturer of heavy power transmission equipment; a company for the building of chemical plants; suppliers of steel valves, pipes; and several other firms.
The primary goal of the Gangnam attackers, according to researchers is to steal data. This is expressed in their use of Separ info-stealer malware, first documented in 2013 and considered to be part of the ‘North Korean malware family tree’ . It helps hackers to steal email and account login info.
The wave of attacks has targeted companies in Thailand China Indonesia, Japan, Turkey, Germany Ecuador Switzerland, and the UK.
Attackers use a new variant of the Separ malware in the current campaign, which can also capture sensitive documents and images from infected devices. The stolen data will then be transferred to an FTP server.
Phishing emails come with a malicious attachment, usually a zip file with batch codes, often seeming to be PDF files. Organizations should educate their staff to be suspicious of email attachments that are intended to contain details about RFQs or RFPs, according to researchers. We should also implement email and endpoint security programs capable of detecting any suspicious activity on critical systems.
CyberX recommends firms to implement a multi-layer security mechanism to protect themselves against these targeted industrial cyber espionage campaigns.