CyberWire Daily - Gangnam Industrial Style APT campaign targets South Korea. [Research Saturday]
Episode Date: May 16, 2020Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial cyberespionage campaign targeting hundreds of manufacturing and other industrial firms primarily located in South K...orea. CyberX has identified more than 200 compromised systems from this campaign, including one belonging to a multi-billion dollar Korean conglomerate that manufactures critical infrastructure equipment such as heavy equipment for power transmission and distribution facilities, renewable energy, chemical plants, welding, and construction. Joining us in this week's Research Saturday is Phil Neray, one of the authors of this report. The research can be found here: Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more at zscaler.com slash security.
So this campaign was discovered by Section 52, which is our in-house threat intelligence team.
This is a team composed of former nation-state defenders.
That's Phil Nouray. He's VP of IoT and Industrial Cybersecurity at CyberX. The research we're discussing today is titled Gangnam Industrial Style, APT Campaign Targets Korean Industrial
Companies. The research that we're going to talk about today was specifically done by a group of folks,
including David Atsch, Mayan Shull, Gil Regev, and Ori Perez.
And it's a campaign that we first started tracking in the spring of 2019.
a highly targeted spear phishing campaign that compromised more than 200 manufacturing and other industrial firms,
primarily located in South Korea.
So that's what led us to name the campaign Gangnam Industrial Style.
One of the things that's interesting about this campaign is that it uses high quality content to make the attachments more believable and realistic,
so to get the users to click on them and actually get the malware installed on their systems.
And in that way, it's similar to the Agent Tesla campaign that was recently uncovered by Bitdefender.
I'll give you some examples.
The emails are requesting firms to bid on
projects. So it's RFPs, RFQs. And so in one of them, in an email that was purporting to
be sent from Siemens, of course it wasn't, but it was spoofed to look like it was coming
from Siemens, which is a major global industrial engineering firm,
it referred to a real gasification power plant in the Czech Republic.
To make it even more realistic, it included a white paper as an attachment about the project
and a schematic of the power plant.
In another example, in an email that was spoofed to look like it was coming
from a major Japanese conglomerate, it invited the recipients to bid on a project for a power plant
in Indonesia. And to make it look realistic, they included the annual report for the major Japanese conglomerate. Of course, it's
an annual report that anybody could get from their website, but that's what they used to try to get
the recipients to believe that it was a real offer to bid on these projects and to get them to
download the zip file to their desktops. And how successful was the campaign in your estimation? Well, we were able to identify over 200
compromised firms based on the systems that were compromised and their domain names,
primarily located in South Korea, like over 50% were located in South Korea. Over 50% of them were in manufacturing,
but we did find victims in other locations like Thailand, Japan, Indonesia, Turkey, Germany,
France, Ecuador, and the UK. And how did you go about discovering this? What was your methodology for uncovering what was going on here?
Yeah, so Section 52, our in-house threat intelligence team, has developed an automated threat extraction platform, which we call Ganymede.
And it supplements the manual work that threat intelligence analysts do all the time, but it's a much more efficient way of doing things because Ganymede ingests data from a range of open and closed sources on the internet
and then uses specialized machine learning algorithms that we've developed to identify
industrial-themed content or IoT-themed content. And so we started seeing this, you know, based on the attachments that were about power plants,
based on the names of some of the companies like Siemens.
That's how we sort of first caught on to this campaign.
Well, let's walk through it together.
Can you take us through exactly how the malware works?
Yeah, certainly.
exactly how the malware works?
Yeah, certainly.
So as we said, the recipient gets a spear phishing email,
which appears to be very realistic. The email includes as an attachment,
a self-extracting archive,
which when unzipped results in a number of files
being downloaded to the desktop
that appear also to be realistic.
So they've got names that look like Adobe files, for example. But in fact, what these files are,
are a combination of batch scripts, Visual Basic scripts, some executables that then
install a number of tools, malware tools, onto the user's machine.
And one of the interesting things about these tools is these aren't highly sophisticated tools.
They're not exploiting zero days.
This is a collection of open source tools, most of which are freely available on the Internet,
that are used to grab passwords and collect files from the user's desktop.
And then every 90 minutes, these tools upload the data that they've exfiltrated from the
user's machine to the adversary's command and control server, which is located on a
free hosting website, just to make it
harder for anybody to track who these people really are.
So in order to kick things off, to get things running, they're using a PDF file or a file
that appears to be a PDF, but actually isn't?
Correct.
So it has like a PDF icon,
but it's actually a malicious executable.
And then that executable in turn,
or the number of executables,
are really a series of scripts
that were compiled using the batch,
quick batch file compiler.
And then what those scripts actually do
once they start running
is first they run IP config, which is a tool to look at all the network adapters that are on the system.
They disable the Windows firewall.
They start dumping passwords from the browser, passwords from email, and then they start looking for documents with specific extensions.
they start looking for documents with specific extensions. So the ones you'd expect, like extensions for Word and Excel, but also I found some really strange file extensions, which I had
to look up, which were from like check word processors and things like that. So a bunch of
different files. And then after they've collected the files and the passwords, they upload everything to their FTP server, again, using a tool, a freely available tool for FTP to do it.
And what do you suppose they're after here?
Is it just a broad collection of anything they can grab?
We had a couple of hypotheses about what their true intent was.
of hypotheses about what their true intent was. One would be to deploy ransomware into these environments, either on the corporate network side or on the industrial network side. And you
can see, obviously, that if you deploy ransomware into a plant or to a firm that's running an
industrial network, the cost of the downtime is high, and the owners of the plant might be more
willing to pay the ransom. Another hypothesis is that they are simply doing cyber espionage
to collect information such as sensitive intellectual property about proprietary
manufacturing designs or manufacturing processes, or if it's a nation-state campaign, that they're
collecting information that they can then use in the future to cause some kind of disruption
to these factories. Are there any indications as to who might be behind this?
No, we were not able to determine who would be behind it. You might guess because South Korea was the target that it would be North Korea.
We don't really know.
This is how I think this campaign is relevant to the Agent Tesla campaign, which was recently talked about by Bitdefender,
in the sense that companies are always looking to get new business.
in the sense that companies are always looking to get new business.
And an email that comes in saying, hey, we'd like you to bid on this project,
is likely to be eagerly opened by the recipient.
Now, the way I think this relates to Agent Tesla is,
in current times, people are even more eager to find new business. And while the Bitdefender folks had a hypothesis that the
goal of the Agent Tesla campaign was to find out what countries were going to do about the OPEC
deal, an alternative hypothesis would be that given the current pandemic, companies are really
desperate for business. And so they're just using this current situation opportunistically because
they think people will be more willing to open these emails without doing any careful scrutiny.
And what sort of recommendations do you have for folks to protect themselves against these
sorts of things? The recommendations that we have to protect against these types of campaigns are
fairly standard. Number one, raise awareness with your employees
about the dangers of clicking on emails
from people you don't know or firms that you don't know.
Look for spoofing in the email addresses
that would indicate that even though it seems
to be coming from Siemens, perhaps it's not.
And then finally, install continuous monitoring in your networks,
both on the IT network and the industrial network, so that if any adversaries actually
do compromise those networks, you can quickly spot their activity. So in the current pandemic,
what we've seen from our clients that are industrial organizations worldwide,
from our clients that are industrial organizations worldwide, is that because more workers are required to work remotely, there's been an increase in remote access to their industrial networks,
either by their own employees or by third-party contractors that they hired to configure and
maintain the equipment in their plants.
And as a result, we think that adversaries are looking for ways to steal remote access
credentials, either from the employees or from third-party contractors, so they can
also get into the plants using these remote access methods and hoping that they're going
to be hidden in this higher volume of traffic that we're seeing
now. So, you know, remote access to industrial networks has always been a challenge in that
if you are not using modern methods to enable folks to get to your networks in the factory
remotely, such as using VPNs, using password vaults, using two-factor authentication,
there's a higher likelihood that a bad guy is going to get those credentials and get into your
network without you knowing about it. But we think that in the current pandemic situation,
that's become even more of an issue just because there's a much higher volume of remote access traffic to these networks.
Yeah, I'm really interested in your insights there in terms of how things have changed on the ground for folks in these environments.
Are there, on the OT side of the house, the operational technology side of the house, are there fewer people on site because of the need for folks to stay home to keep that social distancing? Is that an issue as well?
Yes, absolutely. There is, in the current situation, far fewer personnel working in the
plants themselves. And so therefore, they're being asked to do their work remotely. So that work
would include monitoring the systems that are going on in the OT side of the house,
configuring and maintaining the program logic controllers.
And in fact, we've gotten requests from our clients who are now much more concerned
about the risk of their industrial networks being compromised
and are looking for us to be able to
remotely deploy our cybersecurity solution to plants. In other words, ship an appliance or
a virtual appliance to these plants and then install it and configure it remotely so that
they can monitor this increased remote access traffic and make sure that nothing bad is happening.
Yeah, that's fascinating.
So the Gangnam Industrial Style Campaign uses a type of malware called SEPAR, S-E-P-A-R.
It has actually been around since 2013 when it was first discovered by SonicWall,
but it has continuously evolved over time. And so this is another trend that we're seeing,
which is using, you know, sort of off the shelf, really available tools to perform these types of
campaigns. And then over time, increasing the number of tools and the types of things that
they can do. So in this case, for example, they're using new tools and compared to the most recent
version of SEPAR that we had seen, the previous version gathered passwords but did not collect
files. So they added the ability to collect sensitive files or all kinds of files like
word files. The second thing they did to improve on the previous version of SEPAR was to use autorun to enable persistence after reboot.
This is a common technique used by malware writers to ensure that after the reboot, the malware continues running.
So this is, I think, also something we saw with Agent Tesla, where that malware had been around for a
while, but it's continuously evolved over time. Our thanks to Phil Nouray from CyberX for joining
us. The research we discussed was titled Gangnam Industrial Style. APT campaign targets Korean
industrial companies. We'll have a link in the show notes. necessity. That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted
by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total
control, stopping unauthorized applications, securing sensitive data, and ensuring your
organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default
deny approach can keep your company safe and technologies. Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio,
Ben Yellen,
Nick Volecki,
Gina Johnson,
Bennett Moe,
Chris Russell,
John Petrick,
Jennifer Iben,
Rick Howard,
Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening.