A group with similar tactics, techniques, and procedures as the North Korea-affiliated Lazarus Group has targeted government and privacy industry computers through 2021, with a focus on industrial control systems (ICS), security firm Kaspersky stated in a Dec. 16 brief.

As of Nov. 10, the unattributed group had targeted more than 35,000 systems in 195 countries with malware dubbed PseudoManuscrypt by Kaspersky because its features resemble those of the Manuscrypt program used by Lazarus Group. While the operation does not appear to single out any industries, affected systems included computers at military-industrial enterprises and research laboratories, with more than 7% of computers installed as part of industrial control systems.

While the attack does not stand out for the volume of compromised systems, the number of sensitive systems should raise eyebrows, says Vyacheslav Kopeytsev, security expert at Kaspersky.

"The fact that a large number of ICS computers across the globe — thousands according to our telemetry alone, and in reality, very likely to be much more — have been attacked in this campaign certainly makes it a threat that merits the very closest attention of specialists responsible for the security and safety of shop-floor systems and their continuous operation," he says. 

"With the large number of engineering computers attacked, including systems used for 3D and physical modeling," he adds, "the development and use of digital twins raises the issue of industrial espionage as one of the possible objectives of the campaign."

For defenders, industrial control systems represent a high risk due to their vulnerability and potential impact of an attack. Many of these systems are older and predate a growing focus over the past decade on secure design and development, leaving behind features that are essentially design vulnerabilities that can be easily manipulated by attackers. The hijack of the Oldsmar, Fla., water treatment plant in early 2021 spotlighted the possibilities of simple attacks against infrastructure that is insecure by design.

However, malware attacks, such as PseudoManuscrypt, continue to be a common way to cross between IT networks and OT networks. The malware is first installed through fake versions of purportedly pirated software, including ICS software, as well as through malware-as-a-service (MaaS) networks, according to Kaspersky's analysis. After a complicated installation chain, the malware collects information from linked computers and devices.

"The most serious impact of this malware is confidential data theft — logins and passwords, VPN connection settings, screenshots, and even video recording from the screen; all of this is collected by PseudoManuscrypt," Kopeytsev says.

The link to the Lazarus group is fairly weak. Lazarus Group's operations have been linked to the North Korean government's Bureau of Reconnaissance, and its activities overlap with APT37, APT38, and Kimsuky. In an operation dubbed ThreatNeedle, Lazarus Group used custom malware called Manuscrypt, which shares many similarities with the new malware, PseudoManuscrypt, according to additional information published by Kaspersky.

"Both malicious programs load a payload from the system registry and decrypt it," Kopeytsev says. "The executable files of both malicious programs have virtually identical export tables. In addition, the two malicious programs use similar executable file naming formats."

Other hints to the identity of the attacker include comments in Chinese in the program's metadata, the use of a library also previously used by Chinese state-sponsored group APT41, and communications to the command-and-control server sent in Chinese.

"[W]e cannot say for certain whether the campaign is pursuing criminal mercenary goals or goals correlating with some governments’ interests," Kaspersky stated in its analysis. "Nevertheless, the fact that attacked systems include computers of high-profile organizations in different countries makes us assess the threat level as high."

In the first four months of 2021, the company saw only a low level of PseudoManuscrypt detections, but that changed in May, when more than 200 instances of the malware were detected every day. The top countries affected by the ongoing attack are Russia, India, and Brazil, which account for more than 30% of all computers attacked using PseudoManuscrypt. Organizations in the United States were the eighth most-targeted, representing only 2.4% of activity.

Of the industrial systems attacked, 44% were in the engineering and building-automation industries.

Some commonsense steps can help companies deal with malware, even ICS-focused malware. Overall security can be improved by requiring an administrative password be entered to turn off security, and two-factor authentication can foil credential-stuffing attacks. Manufacturers, engineering firms, and utilities should use dedicated security to protect their shop-floor systems, Kaspersky said.