Researchers at Russian cybersecurity firm Kaspersky have revealed a number of highly targetted attacks against various industrial holdings dating back to at least 2018.
These kinds of attacks are rarer in a world with advanced persistent threat (APT) actors than campaigns against diplomats and other high-profile political figures.
The toolset used in the attack - named MT3 by its authors, but dubbed "MontysThree" by the firm - uses a variety of subroutines and techniques to remain undetected, including hosting its communications with the control server on public cloud services and hiding the main malicious module using steganography.
A majority of APT attacks are usually aimed at government entities, telecoms firms or diplomats due them possessing highly valuable and confidential information in their day-to-day operations.
Attacks on industry are rare but can be equally as devastating, according to the cybersecurity leaders, owing to such targetted attacks having disastrous consequences on businesses and markets.
Because of this, once MontysThree was detected in the summer of 2020, the analysts as Kaspersky were quick to take note.
To carry out this espionage, MontysThree deployed a malware program consisting of four modules. The first - the loader - was spread using self-extracted archives such as .rar files containing pertinent information like medical records to trick employees into downloading the files - a common technique using in phishing.
The primary purpose of the loader is to ensure the malware isn't detected. To do this, they employ a system known as steganography, the act of hiding malicious data in an ordinary, non-threatening file or message. In this case, the data was hidden in a bitmap.
The malware run by MontysThree uses several encryption techniques to remain undetected, namely the use of an RSA algorithm, typically used for secure data transmission. The algorithm used is specifically designed to target both Adobe and Microsoft files, while also being able to capture screenshots and "fingerprint" the target to see if it is of any use to the company.
The information collected can then be stored using public cloud services such as Google or Dropbox.
Kaspersky has not been able to find any link in the malicious code with any known APTs.
Denis Legezo, a senior security researcher with Kaspersky's Global Research and Analysis Team, said: "MontysThree is interesting not just because of the fact that it's targetting industrial holdings, but because of the combination of sophisticated and somewhat 'amateurish' TTPs.
"In general, the sophistication varies from module to module, but it can't compare to the level used by the most advanced APTs. However, they use strong cryptographic standards and there are indeed some tech-savvy decisions made, include custom steganography.
"Perhaps, most importantly, it's clear that the attackers have put significant effort into developing the MontysThree toolset, suggesting they are determined in their aims - and that this is not meant to be a short-lived campaign."
Experts at Kaspersky have offered advice to any firms wishing to avoid similar attacks.
They offer and recommend companies providing staff with basic cybersecurity hygiene training, as many targetted attacks start with phishing scams or other such social engineering techniques. They also recommend setting up divisions with the latest threat intelligence software, as well as the implementation of EDR solutions for endpoint level detection.
They also recommend firms protect both industrial and corporate endpoints, using specialist software designed to trace and reveal them.
Back to Homepage
Back to Technology & Innovation