Experts from the CyberX’s threat intelligence team Section 52 uncovered an ongoing
One of the victims of the Gangnam Industrial Style campaign is a maker of critical infrastructure, chemical plants, power transmission, and distribution facilities, or firms in the renewable energy sector.
Other victims of the group were in Indonesia, Turkey, Germany, Ecuador, and the United Kingdom.
“Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial
“The campaign steals passwords and documents which could be used in a number of ways, including stealing trade secrets and intellectual property, performing cyber reconnaissance for future attacks, and compromising industrial control networks for ransomware attacks.”
The tactics, techniques, and procedures suggest the involvement of an advanced persistent threat (APT) group.
Threat actors launched spear-phishing attacks using emails with malicious attachments often disguised as PDF files.
The attachments are “industrial-themed,” they include white papers, power plant diagrams, and quote requests for blueprints of facilities. In some cases, the attackers used publicly-available company profile brochures in PDF format. One of the emails was disguised as a legitimate message sent by a Siemens subsidiary.
Attackers used a new variant of the Separ credential-stealing malware, a malicious code that was first spotted by Sonicwall in 2013.
The info-stealer is used to collect browser and email credentials and searches for documents with a range of extensions, such as Office documents and image files. The Separ malware
“Our research indicates the Gangnam Industrial Style campaign is ongoing, because new stolen credentials are still being uploaded to the