Researchers identified an ongoing series of cyber attacks targeting many high profile organizations, including supervisory control and data acquisition or SCADA security companies, universities, and defense contractors. The attacks are using customized malicious files to entice targeted users into opening them and starting the compromise. The campaign is using a series of hacked servers as command and control points and researchers said the tactics and tools indicate the attackers may be located in China.
The first evidence of the campaign was an attack on Digitalbond, a company that provides security services for industrial control systems. The attack begins with a spear phishing email sent to employees of the targeted company and contains a PDF attachment. In addition to the attack on Digitalbond, researchers found the campaign also hit users at Carnegie Mellon University, Purdue University, and the University of Rhode Island. Also, the Chertoff Group, a government consultant, and NJVC, a government contractor, were targeted.
Alienvault identified similarities to the socalled Shady Rat attacks first publicized by McAfee in August 2011. The attackers are not hitting random targets with this campaign but are selecting their targets carefully. According to the information collected, the targets of these campaigns are somehow related with the U.S. government or U.S. Defense contractors directly, providing different services such as authentication software/hardware, Industrial Control Systems security, or strategic consulting, a researcher at IOActive wrote in an analysis on the attacks.