Golden ticket for industrial espionage: APT group takes over military IT infrastructure

Woburn, MA – August 8, 2022 – Kaspersky ICS CERT has detected a wave of targeted attacks on military contractors and public institutions in several Eastern European countries and in Afghanistan. The cybercriminals were able to take control over victims’ entire IT infrastructure for the purpose of industrial espionage.

In January 2022, Kaspersky researchers witnessed several advanced attacks on military enterprises and public organizations. The primary aim of the attacks was to access companies’ private information and to gain control over their IT systems. The malware being used by the attackers is similar to the one deployed by TA428 APT, a Chinese-speaking APT group.

The attackers infiltrate enterprise networks by sending carefully crafted phishing emails, some of which contain information specific to the target organization that has not been made publicly available at the time when emails were sent. This indicates that the attackers deliberately prepare for the attacks and select their targets in advance. The phishing emails include a Microsoft Word document with malicious code to exploit a vulnerability that enables an attacker to execute arbitrary code without any additional activity. The vulnerability exists in outdated versions of the Microsoft Equation Editor, a component of Microsoft Office.

The attackers used six different backdoors at the same time, in order to set up additional communication channels with infected systems, in case one of the malicious programs was detected and removed by a security solution. These backdoors provide extensive functionality for controlling infected systems and collecting confidential data.

The attack’s final stage involves hijacking the domain controller and gaining complete control of all the organization’s workstations and servers. In one of the cases, they even took over a cybersecurity solutions control center. After gaining domain administrator privileges and access to the Active Directory, attackers ran the “golden ticket” attack to impersonate organizations’ arbitrary user accounts and search for documents and other files containing the attacked organization’s sensitive data, which they exfiltrate to the attackers’ servers hosted in different countries.

“Golden Ticket attacks take advantage of the default authentication protocol which has been used since the availability of Windows 2000,” said Vyacheslav Kopeytsev, security expert at ICS CERT Kaspersky. “By forging Kerberos Ticket Granting Tickets (TGTs) within the corporate network, the attackers can independently access any service that belongs to the network for an unlimited time. As a result, just changing passwords or blocking compromised accounts won’t be enough. Our advice is to check carefully all suspicious activity and rely on trustworthy security solutions.”

Learn more about these targeted attacks on Kaspersky ICS CERT.

To keep your ICS computers protected from various threats, Kaspersky experts recommend businesses:

·       Regularly update operating systems and application software that are part of the enterprise’s network. Apply security fixes and patches to IT and OT network equipment as soon as they are available

·       Conduct regular security audits of IT and OT systems to identify and eliminate possible vulnerabilities

·       Use ICS network traffic monitoring, analysis, and detection solutions for better protection from attacks which potentially threaten technological processes and main enterprise assets

·       Put in place dedicated security training for IT security teams and OT engineers, to improve response to new and advanced malicious techniques

·       Provide the security team responsible for protecting industrial control systems with up-to-date threat intelligence. Kaspersky’s ICS Threat Intelligence Reporting service provides insights into current threats and attack vectors, as well as the most vulnerable elements in OT and industrial control systems and how to mitigate them

·       Use security solutions for OT endpoints and networks, such as Kaspersky Industrial CyberSecurity, to ensure comprehensive protection for all industry critical systems

·       Protect IT infrastructure as well; it is no less important. Integrated Endpoint Security protects corporate endpoints and enables automated threat detection and response capabilities.

About Kaspersky ICS CERT

Kaspersky Industrial Control Systems Cyber Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyberattacks. Kaspersky ICS CERT devotes its efforts primarily to identifying potential and existing threats that target industrial automation systems and the Industrial Internet of Things. Kaspersky ICS CERT is an active member and partner of leading international organizations that develop recommendations on protecting industrial enterprises from cyberthreats. ics-cert.kaspersky.com