CyberX: Hackers Targeting Intellectual Property at Companies in South Korea and Elsewhere
CyberX researchers have discovered a cyberespionage campaign targeting manufacturers.
A new cyberespionage campaign has targeted hundreds of manufacturing and other industrial firms in South Korea and has spread to other parts of Asia and Europe, according to security firm CyberX.
The apparent goal of the campaign is to steal trade secrets and intellectual property as well as credentials, CyberX reports. Most of the targets are large-scale industrial firms, including a steel manufacturer, a chemical plant construction firm, pipe and valve manufacturers and an engineering firm, the security company writes in a blog.
CyberX’s threat intelligence team, Section 52, found that over 200 companies have been targeted by this unknown advanced persistent threat group. While the majority of targeted companies are located in South Korea, the campaign has also affected firms in Japan, Indonesia, Turkey, Germany, Ecuador and the U.K., the blog notes.
CyberX researchers note that one of the victims was “a multi-billion dollar Korean conglomerate that manufactures critical infrastructure equipment.”
These cyberespionage attacks start with a phishing email that contains what the CyberX report calls “industrial-themed” attachments and reports, including what appear to be whitepapers, schematic designs, corporate information and other details about business operations. In one instance, the spear phishing message sent to one employee was disguised to look like a legitimate message from a subsidiary of Siemens, the report notes.
Malicious PDF attachment (Source: CyberX)
The CyberX researchers found that most of the PDF attachments in the phishing emails are zip files containing malicious executables that, if opened, install malware that steals credentials and passwords and allows the attackers to maintain persistence in a network and avoid detection.
The goal, the blog notes, is to steal intellectual property as well as compromise the network and the industrial control systems that control these facilities.
“The campaign steals passwords and documents which could be used in a number of ways, including stealing trade secrets and intellectual property, performing cyber reconnaissance for future attacks, and compromising industrial control networks for ransomware attacks,” according to the blog.
When CyberX researchers examined the malicious attachments, they found that they contained an updated version of Separ malware, an information stealer first discovered by SonicWall in 2013. The malware has been redesigned to target industrial systems and facilities, the blog notes. The attackers incorporated freely available online tools to expand Separ’s capabilities.
Separ has the ability to steal browser and email credentials as well as search for documents with a range of extensions, including Office documents and images, the blog notes. The malware then uses an FTP connection to send stolen data to a domain controlled by the attackers.
The malware also performs a series of other tasks, according to the blog. For example, it:
- Runs ipconfig network configurations to map all network adapters on the compromised system;
- Disables Windows firewall;
- Dumps browser and email passwords;
- Collects files with specific extensions from user folders, mostly documents;
- Uploads all the results to the FTP server.
Industrial Espionage in the Spotlight
Over the past several months, other researchers have identified cyberespionage campaigns targeting facilities in Asia.
Earlier this month, hackers suspected of being based in Vietnam reportedly compromised the network of German automaker BMW and South Korea’s Hyundai (see: Vietnamese APT Group Targets BMW, Hyundai: Report).
And a new malware campaign discovered earlier this month, suspected of being tied to Iran, targeted companies in the energy and industrial sectors in the Middle East for potential industrial espionage or to disrupt critical infrastructure (see: Wiper Malware Targets Middle Eastern Energy Firms: Report).