A cadre of Nigerian hackers has successfully stolen sensitive commercial data from industrial firms around the world.
Kaspersky Lab said that while there were indications last autumn and dating back to 2015 that there was an ongoing phishing campaign aimed at this sector, new evidence shows that the attack is much more widespread than originally thought: There have been more than 500 attacked companies in more than 50 countries so far—and most are industrial enterprises and large transportation and logistics corporations.
The emails used in such attacks are made to look as legitimate as possible so that the employees who receive them open the accompanying malicious attachments without giving them much thought. The emails were sent on behalf of various companies that did business with potential victims: suppliers, customers, commercial organizations and delivery services. The emails asked recipients to check information in an invoice as soon as possible, clarify product pricing or receive goods specified in the delivery note attached.
The accompanying malware belongs to at least eight different trojan-spy and backdoor families, Kaspersky said, and are designed primarily to steal confidential data and install stealthy remote administration tools on infected systems. The payloads include ZeuS, Pony/FareIT, LokiBot, Luminosity RAT, NetWire RAT, HawkEye, ISR Stealer and iSpy keylogger.
“The phishers selected a toolset that included the functionality they needed, choosing from malware available on cyber-criminal forums,” the firm said in an analysis. “It is worth noting that a complete set of malware for carrying out this type of attack usually costs no more than $200.”
Once in, the attackers can carry out any number of nefarious deeds. In some cases, they gained unauthorized access to the legitimate websites of industrial companies and used them as a platform for hosting malware and C&C servers. The websites were accessed using credentials stolen earlier from infected computers used by the companies’ employees.
In other cases, the spyware programs sent a variety of information from infected machines to C&C servers, including information on industrial companies’ operations and main assets, including information on contracts and various cost estimates and project plans for some of the current projects at victim enterprises.
Kaspersky also said that in a worst-case scenario, cyber-criminals can gain access to computers that are part of an industrial control system (ICS) as well, gaining remote access and unauthorized control over industrial processes. Remote access to SCADA machines enables attackers to simply switch industrial equipment off or change its settings.
Although attacks on the industrial sector smack of nation-state activity, in this case they appear to be financially motivated. The most common pathology for the attack results in criminals redirecting legitimate business transfers of money or payments into their own accounts.
“They make screenshots of the correspondence using malware or set up hidden redirection of messages from the attacked computer’s mailbox to their own mailbox,” Kaspersky explained. “This enables them to track which transactions are being prepared in the company. After selecting the most promising transaction among those in the pipeline, the attackers register domain names that are very similar to the names of the seller companies. Using the newly registered domains, the cyber-criminals are able to carry out a man-in-the-middle attack: they intercept the email with the seller’s invoice and forward it to the buyer after replacing the seller’s account details with the details of an account belonging to the attackers.”
The firm also noted that in the event of a successful attack, the company making a purchase not only loses money but also fails to receive the goods they need on time. This can be critical for industrial companies: if the goods are raw materials used in manufacturing or spare parts needed to repair equipment, their non-delivery can result in downtime or failure to perform scheduled maintenance or commissioning and start-up work.
"The main motivator for cyber-criminals in today’s world is profit, and consequently by targeting the major corporations they raise the potential revenue value,” said Luda Lazar, security research engineer at Imperva, via email. “Nigerian hackers, like other cyber-criminals, are opportunistic, thus they tried to attack some major corporations during 2016 and apparently succeeded. Therefore, it is reasonable to expect an increase in such attacks on industrial companies in [the] future.”