Chinese APT Group Hits Air-Gapped Systems in Europe with Malware

IN SUMMARY

1. Cybersecurity researchers at Kaspersky Labs identified the malware.
2. The malware used by APT31 targets European industrial control systems.
3. The Chinese APT31 group is also known as Zirconium and Judgment Panda).

In its latest research report published on July 31, 2023, Kaspersky ICS CERT shared exclusive details of a new threat trend gaining momentum and targeting air-gapped ICS systems.

Researchers at Kaspersky noted that attackers are using second-stage malware after first-stage implants to remotely access crucial industrial control systems (ICS) systems and extract data from them in this campaign. Later, the malware allows third-stage tools to invade the device and transmit data.

The attack should not come as a surprise due to recent reports exposing the activities of Chinese Group Storm-0558. These reports revealed the group’s successful hacking of email accounts belonging to European government officials.

Additionally, there was another report indicating the Chinese APT group’s targeting of European embassies using the SmugX malware. Moreover, just last month, it was reported that Chinese espionage malware was used to target European healthcare systems, utilizing malicious USB drives as a vector of attack. These alarming incidents highlight the need for heightened cybersecurity measures and vigilance in countering such threats.

Reportedly, Kaspersky ICS CERT researchers were investigating a string of cyberattacks targeted against critical infrastructure in Eastern Europe when they discovered second-stage malware capable of evading data security measures typically protecting air-gapped systems.

Researchers believe that through using this novel malware, threat actors are trying to establish a permanent presence on the ICS systems to keep exfiltrating sensitive data stored on these systems.

Further investigation revealed signs indicating the involvement of Chinese state-backed APT31 (aka Zirconium and Judgment Panda), even though the perpetrators had used advanced TTPs to obfuscate their actions.

For instance, they used encrypted payloads, DLL hijacking, injected payloads in legit processes, and embedded malware in authorized apps’ memory to evade detection. These steps highlight the “sophistication of their tactics,” explained Kaspersky ICS CERT’s senior security researcher Krill Kruglov.

For your information, second-stage malware is far more complex and harder to detect than single-stage as it involves two steps to perform its malicious tasks. It is typically disguised as a legit program and can bypass advanced antivirus solutions. 

During their research, the Kaspersky threat intelligence team also identified over fifteen distinct implants, along with several variants, which they divided into three categories. Two of these implants loaded the second-stage malware, one of which is a modular malware that can profile and contaminate removable drives with a worm. It can steal data from air-gapped/isolated ICS networks.

This malware contains three modules, each performing different tasks. For instance, it uses separate tools for profiling/handling removable drives, capturing screenshots, and planting second-stage malware on all connected devices. The second implant can steal data from local computers and transmit it to Dropbox through third-stage tools.

The attack starts with invading the ICS network, for which APT31 uses already known remote access and data collection tools. Once infiltrated, the attackers deploy an advanced modular malware to contaminate the storage devices, and afterwards, data exfiltration commences.

The third and final stage of the attack chain entails exfiltrating data using a range of tools and uploading it on a C2 server. This operation has been planned meticulously, considering that the threat actor uses multiple attack tactics to ensure persistence without getting detected.

This is a developing story, as Kruglov states that this is an ongoing research. Hackread will update its readers as soon as there is any update. Meanwhile, industrial organizations are urged to upgrade their cybersecurity defences, keep enterprise OT network components updated, limit the use of privileged accounts, and exercise caution to prevent the threat.

“As the investigation continues, remain resolute in its dedication to safeguarding against targeted cyber-attacks and collaborating with the cybersecurity community to disseminate actionable intelligence.”

Krill Kruglov

RELATED ARTICLES

1. Stealing data from air-gapped PC by turning RAM into WiFi Card
2. New malware tool can steal files from airgapped PCs using USBs
3. China-Linked Spyware in Google Play Store Apps, 2m Downloads
4. Hackers Can Now Steal Data from Air-Gapped PCs via SATA Cables
5. Malware can extract data from air-gapped PC through power supply
6. ETHERLED & GAIROSCOPE attacks – Data stealing from air-gapped PC