The computer systems of industrial companies are increasingly becoming attractive targets for cybercrime, both for the financial gain they offer and the potential for industrial espionage. The new malware that has recently surfaced aimed at industrial systems has proven to be troubling. Cyber security experts at Kaspersky discovered the malware, which tracked down over 3000 infected computers in 195 countries worldwide last year.
Because it closely resembles the Manuscrypt malware of the Lazarus group, which uses so-called “advanced persistent threats” (APT), cyber security experts have named it “PseudoManuscrypt.” The malware targeted many companies involved with military technology and government organizations.
PseudoManuscrypt is downloaded to the target systems by a fake software installer, including ICS-specific pirated software installers. These fake installers may come from a malware-as-a-service (MaaS) platform.
There are cases when PseudoManuscrypt is installed via the now-famous Glupteba botnet. The malware then installs other malicious modules that the PseudoManuscrypt initially triggered.
So far, the Kaspersky team has identified two main variants of this module. They both have features that can save passwords, grab keystrokes, packet capture data from the clipboard, connect through VPN software and RDP connections, and take screenshots. The attacks do not favor specific industries, but the number of engineering computers attacked, including 3D and physical modeling systems, suggests that some targets may be industrial espionage.
Some of the victims of these new attacks are linked to previous Lazarus campaigns since they are using a very rare protocol spotted in APT41 malware a while back. However, even though this group has been active for a long time, given many victims and no specific target to hit, the security team does not link the campaign to any known APT group.
Here is the defensive strategy against the threat of a PseudoManuscrypt attack:
- Ensure that all endpoint protections are enabled on the systems, and there is a policy to require the administrator password if someone tries to disable the software.
- Use security solutions that were specifically designed for production systems.
- The administrator should check whether active directory policies limit users logging onto systems.
- The user should only be able to log in to network services that are necessary for their job functions.
- Consider using supervised detection and response services, which allow professionals to respond in real-time.
- Local and domain administrator privileges are only used when necessary to complete maintenance tasks.
- Train employees about the safe use of the Internet, email, and all other communication channels, with particular attention to explaining the consequences of downloading and running files from unknown or unauthorized sources
Cyber-attacks on industrial control systems have been growing over the last several years, and the risk of them remains substantial. In addition, it is now recognized that cyber security is a shared responsibility with sectors such as government and industry. As a result, cyber-attacks on these control systems have widespread implications for safety, security, and critical infrastructure, including essential manufacturing processes.