New targeted attack strategies used against industrial companies

industrial skyline

A new, rapidly evolving, series of spyware campaigns attacking more than 2,000 industrial enterprises around the world has been uncovered by experts at Kaspersky.

Although the malware used in these attacks belongs to well-known commodity spyware families, they stand out from the mainstream due to the very limited number of targets in each attack -- no more than a few dozen -- and the very short lifetime of each malicious sample.

Close analysis of 58,586 samples of spyware blocked on ICS computers in the first half of 2021 reveals that around 21.2 percent of them were part of this new limited-scope and short-lifetime attack series. Their lifecycle is limited to about 25 days, which is much less than the lifespan of a traditional spyware campaign.

Another interesting feature is that most of these campaigns are spread from one industrial enterprise to another via well-crafted phishing emails. Once inside the victim's system, the attacker uses the device as the next-attack's command and control server. With access to the victim's mailing list, criminals can then spread the spyware even further.

"‘Throughout 2021, cybercriminals extensively used spyware to attack industrial computers, and today we witness a new rapidly evolving trend in the industrial threat landscape," says Kirill Kruglov, security expert at Kaspersky ICS CERT. "To avoid detection, criminals shrink the size of each attack and limit the use of each malware sample by quickly enforcing its replacement with a fresh-built one. Other tactics include the vast abuse of corporate email infrastructure to spread malware. This is different from anything we've observed in spyware before and we anticipate such attacks to gain traction in the year ahead."

Kaspersky experts have identified more than 25 different marketplaces where the stolen credentials from these industrial campaigns are being sold. Analysis of those marketplaces shows high demand for corporate account credentials, especially for Remote Desktop Accounts (RDP). Over 46 percent of all RDP accounts sold in analyzed marketplaces are owned by companies in the US, while the rest originate from Asia, Europe, and Latin America.

You can find out more on the Kaspersky ICS CERT site.

Image Credit: panimoni /

Comments are closed.

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.