Kaspersky's Global Research and Analysis Team (GReAT) and Industrial Control Systems Cyber Emergency Response Team (ICS CERT) have unveiled significant developments in the cyber espionage activities targeting Eastern European industrial companies with the use of updated MATA toolset. The investigation, spanning months, exposed sophisticated attack techniques, updated malware capabilities, and a novel infection chain.

In early September 2022, new malware samples linked to the MATA cluster, previously associated with the Lazarus group, were identified. This campaign, targeting over a dozen Eastern European corporations, persisted from mid-August 2022 to May 2023. The attackers employed spear-phishing emails utilising a CVE-2021-26411 exploit, and Windows executable malware downloads through web browsers.

The MATA infection chain was intricate, integrating loader, main trojan, and stealers, with exploits, rootkits and precise victim validation processes. A key discovery involved internal IP addresses used as Command and Control (C&C) servers, indicating attackers deployed their own control and exfiltration system inside the victims’ infrastructure. Kaspersky promptly alerted affected organisations, leading to swift responses.

The attack initiated from a factory with a phishing email, infiltrated the network and compromised a parent company's domain controller. They utilised vulnerabilities and rootkits to interfere with security systems, gaining control over workstations and servers. Notably, they accessed security solution panels, exploiting vulnerabilities and weak configurations to gather information and distribute malware to subsidiaries and systems not connected to corporate domain infrastructure.

"Protecting the industrial sector from targeted attacks requires a vigilant approach that combines robust cybersecurity practices with a proactive mindset. At Kaspersky, our experts literally follow APT developments keeping track of their evolution and predicting their moves to be able to detect their new tactics and tools. Our ongoing dedication to cybersecurity research is driven by a commitment to provide organisations with critical insights into the ever-evolving landscape of cyber threats. By staying informed and implementing the latest security measures, businesses can bolster their defence against sophisticated adversaries and safeguard their networks and systems," comments Vyacheslav Kopeytsev, a senior security researcher at Kaspersky’s ICS CERT.

Other noteworthy findings include:

• Three new Generations of MATA Malware – 3, 4 and 5: These featured advanced remote control capabilities, modular architecture, and support for various protocols, along with flexible proxy server chains.
• Linux MATA Generation 3: The Linux version shared capabilities with its Windows counterpart and was delivered through security solutions.
• USB Propagation Module: Facilitating infiltration of air-gapped networks, this module transferred data via removable media, particularly in systems holding sensitive information.
• Stealers: These were employed to capture sensitive information, such as screenshots and stored credentials, customised to specific circumstances.
• EDR/Security Bypass Tools: Attackers leveraged public exploits to escalate privileges and bypass endpoint security products. Additionally, the BYOD (Bring Your Own Vulnerable Driver) technique was used on systems with the CVE-2021-40449 vulnerability patch installed.
• The latest MATA versions utilise techniques similar to ones used by 5-eyes APT groups, thus raising some questions in the process of attribution that are hard to give a definite answer.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

• Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20-years.
• Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
• Establishing continuous vulnerability assessment and triage as a basement for effective vulnerability management process. Dedicated solutions like Kaspersky Industrial CyberSecurity may become an efficient assistant and a source of unique actionable information, not fully available in public.
• For endpoint level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Endpoint Detection and Response.
• In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform.
• As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team – for example, through the Kaspersky Automated Security Awareness Platform.
• To make sure your team and your tools and your processes are prepared for a sophisticated incident response at the shop floor of your facility we recommend dedicated trainings such as Digital Forensics and Incident Response in ICS by Kaspersky ICS CERT.

Kaspersky will delve deeper into the future of cybersecurity at their Security Analyst Summit (SAS) 2023, set for October 25th-28th in Phuket, Thailand.

The summit will gather elite anti-malware researchers, global law enforcement, Computer Emergency Response Teams, and senior leaders from sectors including finance, tech, healthcare, academia, and government from around the world.