'Gangnam Industrial Style' campaign targets industrial firms with phishing emails and Separ malware

New North Korea-linked campaign has already compromised at least 200 systems belonging to industrial companies across the world

Researchers at CyberX have uncovered an advanced persistent threat (APT) campaign targeting critical infrastructure equipment manufacturers and other industrial firms primarily located in South Korea.

The group is using spear-phishing emails with malicious attachments, as well as a combination of freely available tools to carry out attacks.

The campaign, dubbed 'Gangnam Industrial Style', has already compromised at least 200 systems, according to CyberX, of which nearly 60 per cent are located in South Korea. The victims include a maker of heavy equipment for power transmission facilities; a chemical plant construction company; steel, valves, pipes manufacturers; and several other firms.

The campaign, dubbed 'Gangnam Industrial Style', has already compromised at least 200 systems

Companies located in Thailand, China, Indonesia, Japan, Turkey, Germany, Ecuador, Germany, and the UK have also been affected by the wave of attacks.

According to researchers, the primary objective of the Gangnam attackers is to steal information. This is reflected in their use of Separ info-stealer malware, which was first documented in 2013 and considered part of the 'North Korean malware family tree'. This enables hackers to steal login data from email clients and browsers.

In the current campaign, attackers are using a new variant of the Separ malware, which can also collect sensitive documents and images from compromised systems. The stolen details are then uploaded to an FTP server.

The attackers create separate phishing emails for each potential victim. In one instance, attackers were observed sending an email to a power plant construction company, while posing as an employee of a Siemens subsidiary firm. In the email, they made a request for quotation (RFQ) for constructing a power plant in the Czech Republic and also included technical diagrams and documents to make the email look legitimate.

The phishing emails come with a malicious attachment, usually a zip file containing batch scripts, which often appear to be PDF files.

CyberX is advising industrial firms to incorporate a multi-layer defence mechanism in order to protect themselves from these targeted industrial cyber espionage campaigns.

According to the researchers, organisations should train their employees to be wary of email attachments that purport to contain details about RFQs or RFPs.

They should also install email and endpoint security programmes able to detect any suspicious activity on critical systems.