A new analysis by Kaspersky unveiled a wave of targeted attacks on military-industrial complex enterprises and public institutions in Belarus, Russia, Ukraine and Afghanistan.
The cybersecurity company made the announcement in an advisory published on Monday, which claims the attackers were able to penetrate several enterprises and hijack the IT infrastructure of some of them.
Kaspersky did not name these entities but said they included industrial plants, design bureaus and research institutes, government agencies, ministries and departments.
In terms of how the threat actors (TA) infiltrated these entities, Kaspersky said the initial vector was phishing emails, some of which contained information specific to the organization under attack (and not publicly available).
“This could indicate that the attackers did preparatory work in advance,” the advisory read.
According to the report, the phishing emails contained Microsoft Word documents that exploited the CVE-2017-11882 vulnerability, a flaw enabling attackers to execute arbitrary code without any additional user activity.
Kaspersky further explained that in the attacks analyzed, the main module responsible was the PortDoor malware, a tool that collects general information on the infected system and sends it to the malware command-and-control (CnC) server.
“In cases where an infected system is of interest to the attackers, they use the PortDoor functionality to control the system remotely and install additional malware,” said the advisory.
The analysis of the campaign also showed the use of five additional backdoors at the same time: nccTrojan, Logtu, Cotx, DNSep and a fifth, unnamed one.
In terms of attribution, Kaspersky said significant overlaps in tactics, techniques, and procedures (TTP) have been observed with APT TA428, a Chinese threat group allegedly behind campaigns targeting government IT in Eastern Asia in 2019.
“The findings of our research show that spear phishing remains one of the most relevant threats to industrial enterprises and public institutions,” read the advisory’s conclusion.
“Given that the attackers have had some success, we believe it is highly likely that similar attacks will occur again in the future. Industrial enterprises and public institutions should do a great deal of work to successfully thwart such attacks.”
Technical details of the attacks, recommendations and indicators of compromise are available in the advisory’s full public version.