The Radiflow Security Blog
Steganography-based attacks threaten industrial enterprises through their supply chain vendors
BleepingComputer, a renowned information security and technology news publication, had recently reported on a number of cases of highly-targeted attacks on industrial sector in which a malicious payload was hidden in sent images.
According to the article, victims in multiple countries (Japan, the U.K., Germany, Italy) were identified, some of which supply equipment and software solutions to industrial enterprises.
The actors in these incidents used public hosting imaging services to evade network traffic scanners and control tools that would flag the malicious download.
Behind the news
A newly-discovered campaign against hardware & software suppliers to industrial enterprises again sheds light on the cyber risk originating from enterprises’ supply chains and partners. Recently this threat has been constantly increasing, particularly over the past few months.
Kaspersky ICS CERT analysis has exposed the usage of steganography (the technique of hiding secret data within an ordinary file or message, which is extracted at its destination) to avoid detection by security tools. The analysis stated that the attackers’ ultimate goal was, at minimum, stealing credentials.
Many sources speculate that these attacks were state-sponsored.
Such attacks may serve a number of purposes:
- First and foremost, economic espionage.
- Secondly, it could be used to get deep insights into software/hardware design and find zero-day vulnerabilities that can be then exploited in attacks against enterprises that use these products.
- Thirdly, one of major and more common techniques for highly-skilled hackers is to embed a malware or a backdoor in this type of product for later use at their deployments (as was the case in CCleaner and NotPetya)
- Finally, the stolen suppliers’ credentials can be used for initial access into to their customers’ networks during periodic maintenance and service (like in the famous “Cloud Hopper” campaign)
The slew of attacks described above yet again demonstrates that it is the imperative that stakeholders in industrial enterprise cyber security (CISO, OT security manager, Chief Risk officer) manage their organization’s cyber risk properly, validate the security posture of suppliers, monitor 3rd-party network access, and deploy threat detection tools at the production lines to alert on possible exploits.
By hiding a malicious payload in ordinary images, attackers use supply chain vendors to gain access to industrial organizations’ systems.