Researchers have detailed some changes in the tactics and toolset of an ongoing attack campaign against industrial enterprises. The use of the Remote Manipulator System (RMS) and Teamviewer in those attacks. Apparently, the attackers are now using new techniques and targeting a wider range of enterprises.
Recently, cybercriminals have been observed using legitimate-looking documents, such as memos and documents detailing equipment settings or other industrial process information. These were apparently stolen during earlier attacks to target industrial enterprises.
- Hackers targeted industrial systems of enterprises in Russia across several sectors, primarily focusing on the energy sector. In addition, they are targeting manufacturing, oil and gas, metal industry, engineering, construction, mining, and logistics sectors as well.
- Hackers are now reportedly using legitimate remote administration software such as TeamViewer or RMS infrastructure for their communication with infected systems. Previously this was done using a malware command-and-control server.
- For these attacks, hackers are using spyware and the Mimikatz utility to steal authentication credentials. These are used to further infect other systems on the enterprise network.
- The ultimate goal of these attacks is to steal money from victim organizations.
To target industrial enterprises, hackers have started using simple tools; however, they have been improving upon their methods. The use of innovative methods for remote attacks is an alarming situation for organizations. Experts recommend enterprises to keep cybersecurity on the top of their priority list and keep investing in the gradual upgrade of their infrastructure.