Employees of the companies received letters containing privileged information, including the names of the employees themselves and the code names of the projects. The email attachments contained a Word document with a backdoor. It allows you to take control of the infected system without additional actions from the user. “The user is not even prompted to enable macro execution,” the company explained.
The backdoor is similar in functionality to remote administration programs. These malicious programs can receive or send files, run and destroy them, display messages, delete information and restart the computer.
Hackers scanned the system for vulnerabilities and passwords that could be stolen. They then took over a domain controller and were able to control the organization’s workstations and servers, as well as download documents with sensitive data to their servers, which were also used to control the malware.
Experts believe that the series of discovered attacks, which is attributed to TA 428, will not be the first in the entire campaign. “Since the attackers are successful, we assume that such attacks may be repeated in the future,” said Vyacheslav Kopeytsev, senior expert at Kaspersky ICS CERT.