Gangnam Industrial Style APT campaign targets industrial firms worldwide

Experts discovered that at least 200 companies were the victims of a campaign, dubbed Gangnam Industrial Style, carried out by an advanced persistent threat (APT) group. 

Experts from the CyberX’s threat intelligence team Section 52 uncovered an ongoing cyberespionage campaign, tracked as Gangnam Industrial Style, that targeted industrial, engineering, and manufacturing organizations, most of them in South Korea (60%).

One of the victims of the Gangnam Industrial Style campaign is a maker of critical infrastructure, chemical plants, power transmission, and distribution facilities, or firms in the renewable energy sector.

Other victims of the group were in Indonesia, Turkey, Germany, Ecuador, and the United Kingdom.

“Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial cyberespionage campaign targeting hundreds of manufacturing and other industrial firms primarily located in South Korea.” reads the report published by the CyberX experts.

“The campaign steals passwords and documents which could be used in a number of ways, including stealing trade secrets and intellectual property, performing cyber reconnaissance for future attacks, and compromising industrial control networks for ransomware attacks.”

The tactics, techniques, and procedures suggest the involvement of an advanced persistent threat (APT) group.

Threat actors launched spear-phishing attacks using emails with malicious attachments often disguised as PDF files.

The attachments are “industrial-themed,” they include white papers, power plant diagrams, and quote requests for blueprints of facilities. In some cases, the attackers used publicly-available company profile brochures in PDF format. One of the emails was disguised as a legitimate message sent by a Siemens subsidiary. 

Attackers used a new variant of the Separ credential-stealing malware, a malicious code that was first spotted by Sonicwall in 2013.

The info-stealer is used to collect browser and email credentials and searches for documents with a range of extensions, such as Office documents and image files. The Separ malware exfiltrates the compromised information via FTP to a free web hosting service (freehostia.com).

“Our research indicates the Gangnam Industrial Style campaign is ongoing, because new stolen credentials are still being uploaded to the adversary’s C2 server.” concludes the analysis.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Gangnam Industrial Style, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]