Kaspersky ICS CERT Report: 2020 attacks target suppliers of equipment and software for industrial enterprises

卡巴斯基ICS CERT報告：2020年攻擊目標為工業企業的設備和軟件供應商

In early 2020, a series of targeted attacks on industrial organizations in various regions was reported. According to the latest Kaspersky ICS CERT findings, these hits were focused on systems in Japan, Italy, German and the UK and targeted suppliers of equipment and software for industrial enterprises. Research has shown that attackers used malicious Microsoft Office documents, PowerShell scripts and several other techniques to make it difficult to detect and analyze their malware. One such technique is steganography, a data-hiding technology that conceals messages within digital files.

2020年初，報告了不同地區工業組織的一係列針對性攻擊。根據卡巴斯基ICS CERT的最新調查結果，這主要集中在日本
、意大利

、德國和英國的係統上，目標是工業企業的設備和軟件供應商。研究表明


，攻擊者使用惡意的Microsoft Office文檔、PowerShelljiaobenheqitayixiejishu，shidejiancehefenxitamendeeyiruanjianbiandekunnan。zheyangdejishujiaoyinxieshu，yizhongjiangxinxiyinzangzaishuziwenjianzhongdeshujuyinzangjishu。

Targeted attacks on industrial objects organically attract attention from the cybersecurity community as they are sophisticated and focused on sectors that are of critical value. Any disruption in the continuity of work can lead to unwanted consequences from successful industrial espionage to comprehensive financial losses.

duigongyemubiaodedingxianggongjiyouzuzhidixiyinlewangluoanquanjiedezhuyili，yinweitamenfeichangfuza，erqiejizhongzaijuyouguanjianjiazhidebumen。gongzuolianxuxingderenhezhongduandoukenengdaozhicongchenggonggongyejiandiehuodongdaoquanmiancaiwusunshidebulianghouguo。

This examined series of attacks was no exception. Phishing emails, used as the initial attack vector, were tailored and customized under the specific language for each specific victim. The malware used in this attack performed destructive activity only if the operating system had a localization that matched the language used in the phishing email. For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese. Also, to successfully decrypt the malware module, the operating system must have had a Japanese localization.

經(jing)過(guo)審(shen)查(zha)的(de)一(yi)係(xi)列(lie)攻(gong)擊(ji)也(ye)不(bu)例(li)外(wai)。用(yong)作(zuo)初(chu)始(shi)攻(gong)擊(ji)媒(mei)介(jie)的(de)網(wang)絡(luo)釣(diao)魚(yu)電(dian)子(zi)郵(you)件(jian)是(shi)根(gen)據(ju)每(mei)個(ge)特(te)定(ding)受(shou)害(hai)者(zhe)的(de)特(te)定(ding)語(yu)言(yan)量(liang)身(shen)定(ding)製(zhi)的(de)。隻(zhi)有(you)當(dang)操(cao)作(zuo)係(xi)統(tong)的(de)本(ben)地(di)化(hua)與(yu)網(wang)絡(luo)釣(diao)魚(yu)電(dian)子(zi)郵(you)件(jian)中(zhong)使(shi)用(yong)的(de)語(yu)言(yan)相(xiang)匹(pi)配(pei)時(shi)，此(ci)攻(gong)擊(ji)中(zhong)使(shi)用(yong)的(de)惡(e)意(yi)軟(ruan)件(jian)才(cai)會(hui)執(zhi)行(xing)破(po)壞(huai)性(xing)活(huo)動(dong)。例(li)如(ru)
，在(zai)一(yi)家(jia)日(ri)本(ben)公(gong)司(si)遭(zao)到(dao)攻(gong)擊(ji)的(de)情(qing)況(kuang)下(xia)，網(wang)絡(luo)釣(diao)魚(yu)電(dian)子(zi)郵(you)件(jian)的(de)文(wen)本(ben)和(he)包(bao)含(han)惡(e)意(yi)宏(hong)的(de)Microsoft Office文檔都是用日語編寫的。此外，要成功解密惡意軟件模塊

，操作係統必須具有日語本地化。

Closer analysis has shown that attackers used the Mimikatz utility to steal the authentication data of Windows accounts stored on a compromised system. This information can be used by attackers to gain access to other systems within the enterprise network and develop attacks. This is particularly dangerous when attackers gain access to accounts that have domain administrator rights.

進一步的分析表明
，攻擊者使用Mimikatz實用程序竊取了存儲在受感染係統上的Windowszhanghudeshenfenyanzhengshuju。gongjizhekeyiliyongzhexiexinxilaifangwenqiyewangluozhongdeqitaxitongbingfaqigongji。danggongjizhehuodeduijuyouyuguanliyuanquanxianzhanghudefangwenquanxianshi，zheyouqiweixian。

詳細攻擊方案

In all detected cases, the malware was blocked by Kaspersky security solutions which prevented the attackers from continuing their activity. As a result, the ultimate goal of the criminals remains unknown. Kaspersky ICS CERT experts continue to monitor new, similar cases. If an organization encounters such an attack, it can be reported by using this special form on the Kaspersky website.

在zai所suo有you檢jian測ce到dao的de案an例li中zhong
，惡e意yi軟ruan件jian均jun被bei卡ka巴ba斯si基ji安an全quan解jie決jue方fang案an阻zu止zhi
，從cong而er阻zu止zhi攻gong擊ji者zhe繼ji續xu其qi活huo動dong。因yin此ci，罪zui犯fan的de最zui終zhong目mu標biao仍reng然ran不bu明ming。卡ka巴ba斯si基jiICS CERT專家將繼續監控類似新案例。一旦組織遇到此類攻擊，可以通過卡巴斯基網站上的此特殊表格進行報告。

“This attack attracted attention due to several, non-standard technical solutions used by the attackers,” said Vyacheslav Kopeytsev, a security expert at Kaspersky. “For instance, the malware module is encoded inside the image using steganography methods, and the image itself is hosted on legitimate web resources. This makes it almost impossible to detect the download of such malware using network traffic monitoring and control tools. From the point of view of technical solutions, such activity does not differ from the usual access given to legitimate image hosting. Coupled with the targeted nature of infections, these techniques indicate the sophisticated and selective nature of these attacks. It is a matter of concern that industrial contractors are among the victims of the attack. If the authentication data of employees of the contractor organization falls into malicious hands, this can lead to many negative consequences, starting with the theft of confidential data and ending with attacks on industrial enterprises through remote administration tools used by the contractor.”

卡巴斯基安全專家Vyacheslav Kopeytsev表示：“由you於yu攻gong擊ji者zhe使shi用yong了le幾ji種zhong非fei標biao準zhun的de技ji術shu解jie決jue方fang案an
，這zhe種zhong攻gong擊ji引yin起qi了le人ren們men的de注zhu意yi。例li如ru，使shi用yong隱yin寫xie方fang法fa將jiang惡e意yi軟ruan件jian模mo塊kuai編bian碼ma在zai圖tu像xiang內nei部bu，並bing將jiang圖tu像xiang本ben身shen托tuo管guan在zai合he法fa的deWeb資zi源yuan上shang。這zhe使shi得de幾ji乎hu不bu可ke能neng使shi用yong網wang絡luo流liu量liang監jian視shi和he控kong製zhi工gong具ju來lai檢jian測ce此ci類lei惡e意yi軟ruan件jian的de下xia載zai。從cong技ji術shu解jie決jue方fang案an的de角jiao度du來lai看kan，這zhe種zhong活huo動dong與yu對dui合he法fa映ying像xiang托tuo管guan的de通tong常chang訪fang問wen沒mei有you區qu別bie。結jie合he感gan染ran的de針zhen對dui性xing，這zhe些xie技ji術shu表biao明ming了le這zhe些xie攻gong擊ji的de複fu雜za性xing和he選xuan擇ze性xing。令ling人ren擔dan憂you的de是shi，工gong業ye承cheng包bao商shang是shi襲xi擊ji的de受shou害hai者zhe。如ru果guo承cheng包bao商shang組zu織zhi員yuan工gong的de身shen份fen驗yan證zheng數shu據ju落luo入ru惡e意yi人ren員yuan手shou中zhong，則ze可ke能neng導dao致zhi許xu多duo負fu麵mian後hou果guo，首shou先xian是shi盜dao竊qie機ji密mi數shu據ju，最zui後hou是shi通tong過guo承cheng包bao商shang使shi用yong的de遠yuan程cheng管guan理li工gong具ju對dui工gong業ye企qi業ye發fa動dong攻gong擊ji。”

“The attack on contractors once again demonstrates that for electric power facilities to be operated reliably, it is critically important to ensure workstations and servers are protected – both on corporate and operational technology networks,” comments Anton Shipulin, solution business lead, Kaspersky Industrial CyberSecurity. “Although strong endpoint protection may be enough to prevent similar attacks, in this case, we still recommend using the most comprehensive approach to support the industrial facility’s cyber-defense. Attacks through contractors and suppliers can have completely different entry points within the enterprise, including ones on the OT network. Even though the attack’s objectives remained unclear, it is more accurate to follow the assumption that attackers have the potential to gain access to the facility’s critical systems. Modern means of network monitoring, anomaly and attack detection can help to detect signs of an attack on industrial control systems and equipment in a timely manner, and prevent a possible incident."

卡巴斯基工業網絡安全解決方案業務負責人Anton Shipulin表示:“對(dui)承(cheng)包(bao)商(shang)的(de)攻(gong)擊(ji)再(zai)次(ci)表(biao)明(ming)，要(yao)讓(rang)電(dian)力(li)設(she)施(shi)可(ke)靠(kao)運(yun)行(xing)，確(que)保(bao)工(gong)作(zuo)站(zhan)和(he)服(fu)務(wu)器(qi)受(shou)到(dao)保(bao)護(hu)至(zhi)關(guan)重(zhong)要(yao)，無(wu)論(lun)是(shi)在(zai)企(qi)業(ye)網(wang)絡(luo)還(hai)是(shi)在(zai)運(yun)營(ying)技(ji)術(shu)網(wang)絡(luo)上(shang)。雖(sui)然(ran)強(qiang)大(da)的(de)端(duan)點(dian)保(bao)護(hu)可(ke)能(neng)足(zu)以(yi)防(fang)止(zhi)類(lei)似(si)的(de)攻(gong)擊(ji)，但(dan)在(zai)這(zhe)種(zhong)情(qing)況(kuang)下(xia)，我(wo)們(men)仍(reng)然(ran)建(jian)議(yi)使(shi)用(yong)最(zui)全(quan)麵(mian)的(de)方(fang)法(fa)來(lai)支(zhi)持(chi)工(gong)業(ye)設(she)施(shi)的(de)網(wang)絡(luo)防(fang)禦(yu)。通(tong)過(guo)承(cheng)包(bao)商(shang)和(he)供(gong)應(ying)商(shang)進(jin)行(xing)的(de)攻(gong)擊(ji)在(zai)企(qi)業(ye)內(nei)部(bu)可(ke)能(neng)有(you)完(wan)全(quan)不(bu)同(tong)的(de)入(ru)口(kou)點(dian)，包(bao)括(kuo)在(zai)OT網(wang)絡(luo)上(shang)的(de)入(ru)口(kou)點(dian)。盡(jin)管(guan)攻(gong)擊(ji)的(de)目(mu)標(biao)仍(reng)不(bu)清(qing)楚(chu)，但(dan)假(jia)設(she)攻(gong)擊(ji)者(zhe)有(you)潛(qian)力(li)獲(huo)得(de)對(dui)該(gai)設(she)施(shi)的(de)關(guan)鍵(jian)係(xi)統(tong)的(de)訪(fang)問(wen)權(quan)限(xian)
，則(ze)更(geng)為(wei)準(zhun)確(que)。現(xian)代(dai)的(de)網(wang)絡(luo)監(jian)視(shi)，異(yi)常(chang)和(he)攻(gong)擊(ji)檢(jian)測(ce)手(shou)段(duan)可(ke)以(yi)幫(bang)助(zhu)及(ji)時(shi)發(fa)現(xian)對(dui)工(gong)業(ye)控(kong)製(zhi)係(xi)統(tong)和(he)設(she)備(bei)的(de)攻(gong)擊(ji)跡(ji)象(xiang)，並(bing)防(fang)止(zhi)可(ke)能(neng)的(de)事(shi)件(jian)發(fa)生(sheng)。”

To reduce the risks of being attacked, industrial organizations are advised to:

• Provide training to employees of enterprises on how to work with email securely and, in particular, identify phishing emails.
• Restrict the execution of macros in Microsoft Office documents.
• Restrict execution of PowerShell scripts (if possible).
• Pay particular attention to PowerShell process startup events initiated by Microsoft Office applications. Restrict programs from receiving SeDebugPrivilege privileges (if possible).
• Install a security solution for corporate endpoints such as Kaspersky Endpoint Security for Business, with the ability to centrally manage security policies, and maintain up-to-date antivirus databases and software modules for security solutions.
• Use security solutions for OT endpoints and network such as KICS for Nodes and KICS for Networks to ensure comprehensive protection for all industry critical systems.
• Install security solutions on all systems with the ability to centrally manage security policies, and maintain up-to-date antivirus databases and software modules for security solutions.
• Use accounts with domain administrator rights only when necessary. After using such accounts, restart the system where authentication was performed.
• Implement a password policy with requirements for the level of complexity and regular password changes.
• Upon an initial suspicion that systems are infected, perform an antivirus check and force password changes for all accounts that were used to log in on compromised systems.

為了降低被攻擊的風險，建議工業組織:

• 為企業員工提供如何安全使用電子郵件的培訓
  
  ，尤其是識別網絡釣魚電子郵件。
• 限製Microsoft Office文檔中宏的執行。
• 限製執行PowerShell腳本（如果可能）。
• 特別注意由Microsoft Office應用程序啟動的PowerShell進程啟動事件。限製程序接收SeDebugPrivilege特權（如果可能）。
• 為wei企qi業ye終zhong端duan安an裝zhuang安an全quan解jie決jue方fang案an
  ，如ru卡ka巴ba斯si基ji企qi業ye終zhong端duan安an全quan軟ruan件jian，能neng夠gou集ji中zhong管guan理li安an全quan策ce略lve，並bing維wei護hu最zui新xin的de防fang病bing毒du數shu據ju庫ku和he安an全quan解jie決jue方fang案an軟ruan件jian模mo塊kuai。
• 使用針對運行點端點和網絡的安全解決方案，例如針對節點的KICS和針對網絡的KICS，以確保對所有行業關鍵係統的全麵保護。
• 在所有係統上安裝安全解決方案，能夠集中管理安全策略
  ，並維護最新的防病毒數據庫和安全解決方案軟件模塊。
• 僅在必要時使用具有域管理員權限的帳戶。使用這些帳戶後
  ，重新啟動執行身份驗證的係統。
• 實施密碼策略，並對複雜性和定期密碼更改提出要求。
• 初步懷疑係統受到感染時，執行防病毒檢查，並強製更改用於登錄受感染係統所有帳戶的密碼