June 15, 2017

Nigerian phishing scammers targeting industrial companies steal IP and network plans

Woburn, MA – June 15, 2017 – Kaspersky Lab today announced a report by its Industrial Control Systems Cyber Emergency Response Team (ICS CERT), which found attackers behind a recent surge in phishing attacks on industrial companies are stealing victims’ project and operational plans, as well as diagrams of electrical and information networks.

Woburn, MA – June 15, 2017 – Kaspersky Lab today announced a report by its Industrial Control Systems Cyber Emergency Response Team (ICS CERT), which found attackers behind a recent surge in phishing attacks on industrial companies are stealing victims’ project and operational plans, as well as diagrams of electrical and information networks. These purposeful actions raise concerns for experts about the cybercriminals’ future intentions.

Business Email Compromise (BEC) attacks, often linked to Nigeria, seek to hijack genuine business accounts which the attackers can monitor for financial transactions to intercept or redirect. In October 2016, Kaspersky Lab researchers noticed a significant spike in the number of malware infection attempts targeting industrial customers. They identified over 500 attacked companies in 50 countries, mainly industrial enterprises, large transportation and logistics corporations, and the attacks are ongoing.

The attack sequence

The attack sequence begins with a carefully crafted phishing email, appearing to come from suppliers, customers, commercial organizations and delivery services. The attackers use malware belonging to at least eight different Trojan-spy and backdoor families, all available cheaply on the black market, and designed primarily to steal confidential data and install remote administration tools on infected systems.

On infected corporate computers, the attackers take screenshots of correspondence or redirect messages to their own mail box so they can look out for lucrative transactions. The payment is then intercepted through a classic man-in-the-middle attack, by replacing the account details in a legitimate seller’s invoice with the attackers’ own.

The unknown threat

While analyzing the command-and-control servers used in the most recent 2017 attacks, the researchers noted that screenshots of operations and project plans, as well as technical drawings and network diagrams were among the data stolen. Further, these images had not been taken from the computers of project managers or procurement managers, the attackers’ usual targets, but from those belonging to operators, engineers, designers and architects.

“There is no need for the attackers to collect this kind of data in order to perpetrate their phishing scams, said Maria Garnaeva, Senior Security Researchers, Critical Infrastructure Threat Analysis, Kaspersky Lab. “What are they doing with this information? Is the collection accidental, or intentional, perhaps commissioned by a third party? So far, we have not seen any of the information stolen by Nigerian cybercriminals on the black market; however, it is clear that for the companies being attacked, in addition to the direct financial loss, a Nigerian phishing attack poses other, possibly more serious, threats.”

The next step could be for attackers to gain access to the computers that form part of an industrial control system, where any interception or adjustment of settings could have a devastating impact.

Attacker profile

When the researchers extracted the command and control (C&C) addresses from the malicious files, it turned out that in some cases the same servers were used for malware from different families. This suggests there is either one cybercriminal group behind all the attacks, making use of different malware, or a number of groups cooperating and sharing resources. The researchers also found that most domains were registered to residents of Nigeria.

How to mitigate the threat

Kaspersky Lab advises companies to implement the following basic security best practice:

Educate employees in essential email security: not clicking on suspicious links and attachments and carefully checking the origin of an email. Alsokeep them informed of the latest tools and tricks used by cybercriminals.
Always double check requests to change bank account details, payment methods etc. during transactions.
Install a security solution on all workstations and servers where possible and implement all updates immediately.
In the event of a system being compromised, change the passwords for all accounts used on that system.
If your organization has an industrial control system, install specialized security that will monitor and analyze all network activity and more.

For more information on this threat, and how to protect against it, read the report on Securelist.com.

For further information on threats facing industrial control systems, visit the ICS CERT.

About Kaspersky Lab

Kaspersky Lab is a global cybersecurity company celebrating its 20 year anniversary in 2017. Kaspersky Lab’s deep threat intelligence and security expertise is constantly transforming into security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky Lab technologies and we help 270,000 corporate clients protect what matters most to them.

Learn more at www.kaspersky.com.

For the latest in-depth information on security threat issues and trends, please visit:

Securelist | Information about Viruses, Hackers and Spam

Follow @Securelist on Twitter

Threatpost | The First Stop for Security News

Follow @Threatpost on Twitter

Media Contact

Sarah Kitsos

781.503.2615

sarah.kitsos@kaspersky.com