New Industrial Espionage Campaign and a New Tool

Yesterday CyberX published a blog post about a new cyber espionage campaign that they explain targeted “hundreds of manufacturing and other industrial firms primarily located in South Korea.” They have named the campaign ‘Gangnam Industrial Style’ in a left-handed salute to the Korean targets.

Now this report is in the form of a blog post, so it does not have all of the technical details that we have come to expect from a new APT attack disclosure. Even so there are some interesting points that bear additional scrutiny.

Ganymede

Typically, when we see these reports of a new cyber-attack campaign it is initially based on information that the researchers obtained from their customers. Reports of anomalies, equipment problems, or compromised data causes the research firm to utilize their forensic capabilities to discover the core of the problem. When AV companies are involved, they can then look at the vast array of information provided by their (blissfully unaware in many instances) customers to track similar indications of compromise to determine the world-wide scope of the problem.

CyberX apparently has decided on a different track to finding attack indicators. They us a new tool, automated threat extraction platform called Ganymede. According to the blog-post:

“Ganymede continuously ingests large amounts of data from a range of open and closed sources. It uses specialized machine learning algorithms to identify documents with IoT/ICS-specific content as well as any malicious attachments, and to monitor domains of industrial companies that might be targeted.”

Apparently, in this case, Ganymede looked at emails to one or more of the reportedly affected companies to determine that they were phishing emails and contained a malicious .ZIP file containing the initial infection vector. I specifically asked if the emails referenced in the post were from CyberX customers and I was told by David Atch, VP of Research at CyberX:

“No, one of Section 52's [the name of the division of CyberX that conducted this research] abilities is to proactively uncover attacks using Ganymede. We work hard to find threats before they hit our customers.”

Commentary

I’m sorry, but that sounds suspiciously illegal; intercepting and reading corporate emails. I am sure that the attorneys for CyberX would disagree, but let’s leave that aside for a moment.

One of the things that we here from less tech-savvy commenters is the question, why can’t the government protect us from cyber-attacks, particularly nation-state level attacks on critical infrastructure. The standard answer is that it would require a DHS presence on the corporate networks to accomplish this and that is something that corporate America has been loath to accept.

Well, maybe a tool like Ganymede shows us a way around that. It would appear that monitoring communications into the network from the outside would allow a government agency like CISA to identify and flag dangerous communications before they actually infect the network. But, would companies want that type of external monitoring any more than they would a government presence on their network?

What would the government be monitoring for? Malware, of course. But, if the malware were not actually attached to the emails as CyberX is reporting in this case, looking for malware would be less than effective. So, to detect phishing emails with links to malware containing sites, the government would have to look at the content of the emails. Okay, maybe they would not be looking at all the words, diagrams, and pictures in the email; they would just have to look for links and then determine if those links led to phishing sites (or porn sites, or gambling sites, or questionable banking sites; but no they would just be looking for phishing sites, the government does not care about the other stuff).

But, what if a company does not want the government to ‘look’ at their emails; because how could you tell the difference between ‘looking’ and ‘reading’? Well, simple enough; you encrypt all of your email. Then, of course, the search for phishing emails would be stopped cold as well. You see the problem.

Side Note

How did I get started on this CyberX thing? Well, I got an email from a marketing firm asking if I would agree to an embargo on writing about the ‘Gangnam Industrial Style’ campaign until after the CyberX blog-post was published. In return I would get to see the blog post in advance. And apparently, I was not the only one (just do a Google® search for the attack name). I receive a number a couple of these every week. Usually I do not respond because I lack the technical skills to adequately evaluate all of the details involved. But something peaked my interest this time…..

Now, I am sure that CyberX will not be happy about this post, but I am not sorry about that. Readers of this blog are probably painfully aware that I speak my mind. That and the fact that I look at things from a slightly different perspective than most people writing in this field.

So, please keep those embargo offers coming. Just be aware that you will not get press release coverage in this blog.