New cyber-campaign targeting SE Asia critical infrastructure organizations

August 6, 2021

Four critical infrastructure organizations in a South East Asian country were targeted in an intelligence-gathering campaign that continued for several months, Symantec Threat Hunter Team has found. Among the organizations targeted were a water company, a power company, a communications company, and a defense organization, with evidence the attackers were interested in information about SCADA systems.

Symantec researchers say the attacks were ongoing from at least November 2020 to March 2021, several months before the Colonial Pipeline attack that drew the attention of the world to the danger posed by attacks on critical infrastructure, and may have begun even earlier than that. An attacker gaining access to multiple critical infrastructure organizations in the same country could potentially give malicious actors access to a vast amount of sensitive information.

According to the Threat Hunter Team, there are numerous indications that the same attacker was behind all the attacks, including:

The geographic and sector links of the targeted organizations
The presence of certain artifacts on machines in the different organizations, including a downloader (found in two of the organizations), and a keylogger (found in three of the organizations)
The same IP address was also seen in attacks on two of the organizations

There are some indications that the attacker behind this campaign is based in China, but with the current information available, Symantec cannot attribute the activity to a known actor. Credential theft and lateral movement across victim networks seemed to be a key aim of the attacker, who made extensive use of living-off-the-land tools in this campaign. Among the living-off-the-land or dual-use tools used were:

Windows Management Instrumentation (WMI)
ProcDump
PsExec
PAExec
Mimikatz

The attacker was also seen exploiting a legitimate multimedia player to load a malicious DLL via search order hijacking, as well as exploiting another legitimate tool to load suspicious files onto victim machines.

For more information on each attack, please visit https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-south-east-asia-espionage

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

How can security leaders charged with investigations handle the management of interviewers and interrogators, as well as handle interviewing, including dealing with false confessions and misleading information?

Poll

Recruiting Diverse Candidates

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

New cyber-campaign targeting SE Asia critical infrastructure organizations

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

New cyber-campaign targeting SE Asia critical infrastructure organizations

Related Articles

Related Products

Related Events

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.