Full Title: Homeland Security ICS-CERT Monitor
Author(s): U.S. Department of Homeland Security
Publisher(s): U.S. Department of Homeland Security
Publication Date: August 1, 2015
Full Text: Download Resource
Description (excerpt):
In July, ICS-CERT became aware of a spear-phishing campaign by advanced persistent threat (APT) actors that targeted multiple sectors, including Chemical, Critical Manufacturing, Energy, and Government Facilities. The activity involved emails with links that redirected to web sites hosting malicious files that exploited a zero-day vulnerability (since then patched) in Adobe Flash Player (CVE-2015-3113).
In previous incidents occurring in early 2014, the same actors also used various social engineering tactics and social media to perform reconnaissance and target company employees. In one case, the malicious actors used a social media account to pose as a perspective candidate for employment and opened a dialogue with employees of a critical infrastructure asset owner. The actors asked probing questions such as the name of the company’s IT manager and versions of the current running software. The actor subsequently requested feedback on a resume and sent a “resume.rar” archive email attachment for review to the employee’s personal email account. The resume. rar archive contained three files including a malicious version of the opensource TTCalc application that infected the employee’s computer with Backdoor. APT.CookieCutter. ICS-CERT worked with the affected entity to confirm that the incident occurred on their business network and was quickly contained. No control systems were impacted.