Was IT infrastructure in Eastern Europe hit by targeted attacks carried out by APT Group early this year for industrial espionage? Probably yes. That’s what security experts from the global cybersecurity company Kaspersky have claimed.
The entire IT infrastructure in Eastern Europe and Afghanistan regions was under targeted attacks from APT Group in January 2022, claimed cybersecurity company Kaspersky.
In January 2022, Kaspersky ICS CERT detected a wave of targeted attacks on military-industrial complex enterprises and public institutions in several Eastern European countries and in Afghanistan. The cybercriminals were able to take control of victims’ entire IT infrastructure – for the purpose of industrial espionage.
Kaspersky researchers early in January witnessed several advanced attacks on military enterprises and public organisations. The primary aim of these targeted attacks was to access companies’ private information and to gain control over IT systems. The malware being used by the attackers is similar to the one deployed by TA428 APT, a Chinese-speaking APT group.
The attackers infiltrate enterprise networks by sending carefully crafted phishing emails, some of which contain information specific to their organisation that has not been made publicly available at the time when emails were sent. This indicates that the attackers deliberately prepare for the attacks and select their targets in advance.
The phishing emails include a Microsoft Word document with malicious code to exploit a vulnerability that enables an attacker to execute arbitrary code without any additional activity. The vulnerability exists in outdated versions of the Microsoft Equation Editor, a component of Microsoft Office.
Moreover, the attackers used six different backdoors at the same time – to set up additional communication channels with infected systems in case one of the malicious programs was detected and removed by a security solution. These backdoors provide extensive functionality for controlling infected systems and collecting confidential data.
The attack’s final stage involves hijacking the domain controller and gaining complete control of all the organisation’s workstations and servers – and in one of the cases, they even took over the cybersecurity solutions control centre.
After gaining domain administrator privileges and access to the Active Directory, attackers ran the “golden ticket“ attack to impersonate organisations’ arbitrary user accounts and search for documents, and other files, containing the attacked organisation’s sensitive data, which they exfiltrate to the attackers’ servers hosted in different countries.
“Golden Ticket attacks take advantage of the default authentication protocol which has been used since the availability of Windows 2000. By forging Kerberos Ticket Granting Tickets (TGTs) within the corporate network, the attackers can independently access any service that belongs to the network for an unlimited time,” said Vyacheslav Kopeytsev, ICS CERT Kaspersky’s security expert.
“As a result, just changing passwords or blocking compromised accounts won’t be enough. Our advice is to check carefully all suspicious activity and rely on trustworthy security solutions,” added Vyacheslav.