New cyber-campaign targeting SE Asia critical infrastructure organizations

Four critical infrastructure organizations in a South East Asian country were targeted in an intelligence-gathering campaign that continued for several months, Symantec Threat Hunter Team has found. Among the organizations targeted were a water company, a power company, a communications company, and a defense organization, with evidence the attackers were interested in information about SCADA systems.

Symantec researchers say the attacks were ongoing from at least November 2020 to March 2021, several months before the Colonial Pipeline attack that drew the attention of the world to the danger posed by attacks on critical infrastructure, and may have begun even earlier than that. An attacker gaining access to multiple critical infrastructure organizations in the same country could potentially give malicious actors access to a vast amount of sensitive information.

According to the Threat Hunter Team, there are numerous indications that the same attacker was behind all the attacks, including:

The geographic and sector links of the targeted organizations
The presence of certain artifacts on machines in the different organizations, including a downloader (found in two of the organizations), and a keylogger (found in three of the organizations)
The same IP address was also seen in attacks on two of the organizations

There are some indications that the attacker behind this campaign is based in China, but with the current information available, Symantec cannot attribute the activity to a known actor. Credential theft and lateral movement across victim networks seemed to be a key aim of the attacker, who made extensive use of living-off-the-land tools in this campaign. Among the living-off-the-land or dual-use tools used were:

Windows Management Instrumentation (WMI)
ProcDump
PsExec
PAExec
Mimikatz

The attacker was also seen exploiting a legitimate multimedia player to load a malicious DLL via search order hijacking, as well as exploiting another legitimate tool to load suspicious files onto victim machines.

For more information on each attack, please visit https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/critical-infrastructure-south-east-asia-espionage

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.