"Golden Ticket" Industrial Espionage, Advanced APT Targets IT Infrastructure

Kaspersky ICS CERT has detected a wave of targeted attacks on military-industrial complex companies and public institutions in several European countries (photo: Kaspersky)

JAKARTA - Kaspersky ICS CERT has detected a wave of targeted attacks on military-industrial complex companies and public institutions in several Eastern European countries and Afghanistan. Cybercriminals can take control of a victim's entire IT infrastructure for industrial espionage purposes.

Kaspersky Industrial Control Systems Cyber ​​Emergency Response Team (Kaspersky ICS CERT) is a global project launched by Kaspersky in 2016 to coordinate the efforts of automation system vendors, industrial facility owners and operators, and IT security researchers to protect industrial enterprises from cyber attacks.

In January 2022, Kaspersky researchers witnessed several follow-up attacks on military companies and public organizations. The main purpose of such attacks is to access the company's personal information and to gain control over IT systems. The Malware used by the attackers is similar to that spread by TA428 APT, the Chinese-language APT group.

Attackers infiltrate corporate networks by sending carefully crafted phishing emails, some of which contain organization-specific information that was not publicly available at the time the emails were sent. This indicates that the attacker is deliberately preparing for the attack and selecting their target in advance.

Phishing emails include Microsoft Word documents with malicious code to exploit vulnerabilities that allow attackers to execute arbitrary code without any additional activity. The vulnerability exists in an old version of Microsoft Equation Editor, a component of Microsoft Office.

In addition, the attacker uses six different backdoors simultaneously to set up additional communication channels with the infected system if any of the malicious programs are detected and removed by the security solution. This backdoor provides extensive functionality to control infected systems and collect confidential data.

The final stage of the attack involved hijacking the domain controllers and gaining complete control over all the workstations and servers of the organization and in one of the cases, they even took over the control center of the cybersecurity solution.

After gaining domain administrator rights and access to Active Directory, the attacker executes a "golden ticket" attack. to impersonate an organization's user account arbitrarily and search for documents or other files containing sensitive data of the organization being attacked. Then the data is infiltrated into the attacker's servers hosted in various countries.

Vyacheslav Kopeytsev, a security expert at ICS CERT Kaspersky said that the Golden Ticket attack leverages the default authentication protocol that has been in use since the availability of Windows 2000. By forging Kerberos Ticket Granting Tickets within the corporate network, attackers can independently access any service. that the network has for an indefinite period of time.

“As a result, simply changing the password or blocking the compromised account will not be enough. Our advice is to carefully scrutinize all Vyacheslav Kopeytsev, a security expert at ICS CERT Kaspersky for suspicious activity and rely on reliable security solutions."