Four critical infrastructure organizations in a South East Asian country were targeted in an intelligence-gathering campaign that continued for several months, Symantec Threat Hunter Team has found. Among the organizations targeted were a water company, a power company, a communications company, and a defense organization, with evidence the attackers were interested in information about SCADA systems.
Symantec researchers say the attacks were ongoing from at least November 2020 to March 2021, several months before the Colonial Pipeline attack that drew the attention of the world to the danger posed by attacks on critical infrastructure, and may have begun even earlier than that. An attacker gaining access to multiple critical infrastructure organizations in the same country could potentially give malicious actors access to a vast amount of sensitive information.
According to the Threat Hunter Team, there are numerous indications that the same attacker was behind all the attacks, including:
- The geographic and sector links of the targeted organizations
- The presence of certain artifacts on machines in the different organizations, including a downloader (found in two of the organizations), and a keylogger (found in three of the organizations)
- The same IP address was also seen in attacks on two of the organizations
There are some indications that the attacker behind this campaign is based in China, but with the current information available, Symantec cannot attribute the activity to a known actor. Credential theft and lateral movement across victim networks seemed to be a key aim of the attacker, who made extensive use of living-off-the-land tools in this campaign. Among the living-off-the-land or dual-use tools used were:
- Windows Management Instrumentation (WMI)
- ProcDump
- PsExec
- PAExec
- Mimikatz
The attacker was also seen exploiting a legitimate multimedia player to load a malicious DLL via search order hijacking, as well as exploiting another legitimate tool to load suspicious files onto victim machines.
For more information on each attack, please visit https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-south-east-asia-espionage