Between August 2022 and May 2023 [4], a cyber espionage operation targeted Eastern European companies in the oil and gas sector and defense industry [2] [4] [5] [6] [7]. This operation utilized spear-phishing techniques and exploited an old Internet Explorer zero-day bug to distribute malware. The attackers used a framework called MATA, previously associated with North Korean hackers Lazarus Group [1]. The campaign involved multiple corporations and employed hacking techniques similar to those used by Five Eyes APT groups.
Description
Between August 2022 and May 2023 [4], a persistent and sophisticated cyber espionage operation targeted Eastern European companies in the oil and gas sector and defense industry [5] [7]. The attackers utilized spear-phishing techniques and exploited an old Internet Explorer zero-day bug, known as CVE-2021-26411 [2] [5] [6], to distribute an updated malware framework called MATA. This framework [1] [2] [4] [5] [6] [7], previously associated with North Korean hackers Lazarus Group [1], was discovered by security firm Kaspersky in 2020 [1]. The campaign involved more than a dozen corporations and the hacking techniques used were similar to those used by Five Eyes APT groups. The initial infections were initiated through spear-phishing emails and malicious links [1], tricking victims into downloading Windows executable malware [7]. The attackers also used a module to infect air-gapped systems through USB thumb drives [1]. Different stealers were used to capture screenshots [1], extract credentials [1], and cookies [1]. To bypass endpoint detection and response tools [1], the attackers utilized a publicly available exploit called CallbackHell [1]. They also disguised files [1], implemented multilevel file encryption [1], and controlled connections to their servers to mask their activities. The MATA framework [2] [4] [5] [6] [7], also known as Dark River, includes a backdoor called MataDoor and a malware called Dark River, which spreads through USB propagation [4]. It also includes a module called CallbackHell for inter-process communication and has proxy functionality [4]. The framework employs rootkits and targets vulnerable drivers [4]. It uses multi-level encryption and communicates with control servers [4]. The Lazarus Group is suspected to be behind these attacks. The operation began in August 2022 and has continued until May 2023 [7]. Attribution is challenging due to the revamped version of MATA and its new targets [7]. The attack chain includes spear-phishing [7], exploit deployment [7], and the introduction of MATA generation 4 [7]. MATA steals information [7], including passwords [7], and can propagate through USB and infiltrate air-gapped networks [7]. MATAv5 [2] [3] [4] [5] [6] [7], a complete rewrite with advanced architecture and communication capabilities [7], has over 100 commands for various cyber espionage tasks [7]. Organizations should conduct regular security audits [7], provide employee training [7], and stay updated on the latest threats to defend against MATA [7]. Kaspersky’s Global Research and Analysis Team (GReAT) and Industrial Control Systems Cyber Emergency Response Team (ICS CERT) have uncovered a cyber espionage operation targeting Eastern European industrial companies in the oil and gas sector and defense industry [5]. The operation utilized an updated MATA framework and involved spear-phishing emails with a CVE-2021-26411 exploit [5]. The attackers used a variety of malware [5], including the Lazarus Group’s MataDoor backdoor and a USB propagation module for infiltrating air-gapped networks [5]. The MATA malware had multiple generations [5], advanced remote control capabilities [5], and support for various protocols [5]. The attackers also leveraged vulnerabilities [5], rootkits [2] [4] [5] [6], and weak configurations to gain control over workstations and servers [5]. The campaign lasted from mid-August 2022 to May 2023 and targeted over a dozen corporations [5]. Kaspersky promptly alerted affected organizations [5], leading to swift responses [5].
Conclusion
This cyber espionage operation targeting Eastern European companies in the oil and gas sector and defense industry had significant impacts [2] [4] [5] [6] [7]. The attackers utilized sophisticated techniques, including spear-phishing and exploiting vulnerabilities [3], to gain unauthorized access to sensitive information. The use of the MATA framework, with its advanced capabilities and multiple generations, allowed the attackers to maintain control over compromised systems and propagate through USB and air-gapped networks. The involvement of Lazarus Group, a known threat actor, raises concerns about the potential motives and future implications of these attacks.
To mitigate the risks posed by similar cyber espionage operations, organizations should prioritize regular security audits [7], employee training [7], and staying updated on the latest threats [7]. Prompt detection and response [1], as demonstrated by Kaspersky’s alerting of affected organizations, are crucial in minimizing the impact of such attacks. Continued collaboration between security firms, like Kaspersky’s Global Research and Analysis Team and Industrial Control Systems Cyber Emergency Response Team [5], is essential in uncovering and addressing these threats.
References
[1] https://www.govinfosecurity.com/mata-malware-targeted-east-european-energy-defense-sectors-a-23353
[2] https://flyytech.com/2023/10/19/sophisticated-mata-framework-strikes-eastern-european-oil-and-gas-companies/
[3] https://ics-cert.kaspersky.com/publications/reports/2023/10/18/updated-mata-attacks-industrial-companies-in-eastern-europe/
[4] https://www.cyberevive.com/2023/10/19/sophisticated-mata-framework-strikes-eastern-european-oil-and-gas-companies/
[5] https://vmblog.com/archive/2023/10/18/kaspersky-reveals-advanced-tactics-in-cyber-espionage-campaign-using-mata-toolset.aspx
[6] https://thehackernews.com/2023/10/sophisticated-mata-framework-strikes.html
[7] https://www.linkedin.com/pulse/sophisticated-mata-framework-strikes-eastern-european-kylo-parisher
