According to the article, victims in multiple countries (Japan, the U.K., Germany, Italy) were identified, some of which supply equipment and software solutions to industrial enterprises.
The actors in these incidents used public hosting imaging services to evade network traffic scanners and control tools that would flag the malicious download.
Behind the news
A newly-discovered campaign against hardware & software suppliers to industrial enterprises again sheds light on the cyber risk originating from enterprises’ supply chains and partners. Recently this threat has been constantly increasing, particularly over the past few months.
Kaspersky ICS CERT analysis has exposed the usage of steganography (the technique of hiding secret data within an ordinary file or message, which is extracted at its destination) to avoid detection by security tools. The analysis stated that the attackers’ ultimate goal was, at minimum, stealing credentials.
Many sources speculate that these attacks were state-sponsored.
Secondly, it could be used to get deep insights into software/hardware design and find zero-day vulnerabilities that can be then exploited in attacks against enterprises that use these products.
Thirdly, one of major and more common techniques for highly-skilled hackers is to embed a malware or a backdoor in this type of product for later use at their deployments (as was the case in CCleaner and NotPetya
Finally, the stolen suppliers’ credentials can be used for initial access into to their customers’ networks during periodic maintenance and service (like in the famous “Cloud Hopper” campaign)
The Takeaway
The slew of attacks described above yet again demonstrates that it is the imperative that stakeholders in industrial enterprise cyber security (CISO, OT security manager, Chief Risk officer) manage their organization’s cyber risk properly, validate the security posture of suppliers, monitor 3rd-party network access, and deploy threat detection tools at the production lines to alert on possible exploits.
By hiding a malicious payload in ordinary images, attackers use supply chain vendors to gain access to industrial organizations’ systems.
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.