{
	"id": "658b6a24-075e-452a-9e67-b2f3327b6b11",
	"created_at": "2026-04-06T00:16:33.326673Z",
	"updated_at": "2026-04-10T03:33:18.491906Z",
	"deleted_at": null,
	"sha1_hash": "1d9887d795d2d73cb28bef45bfec1f68452b7492",
	"title": "Targeted attack on industrial enterprises and public institutions",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 99032,
	"plain_text": "Targeted attack on industrial enterprises and public institutions\r\nBy Kaspersky ICS CERT\r\nPublished: 2022-08-08 · Archived: 2026-04-05 13:43:18 UTC\r\nIn January 2022, Kaspersky ICS CERT experts detected a wave of targeted attacks on military industrial complex\r\nenterprises and public institutions in several countries. In the course of our research, we were able to identify over\r\na dozen of attacked organizations. The attack targeted industrial plants, design bureaus and research institutes,\r\ngovernment agencies, ministries and departments in several East European countries (Belarus, Russia, and\r\nUkraine), as well as Afghanistan.\r\nThe attackers were able to penetrate dozens of enterprises and even hijack the IT infrastructure of some, taking\r\ncontrol of systems used to manage security solutions.\r\nAn analysis of information obtained while investigating the incidents indicates that cyberespionage was the goal\r\nof this series of attacks.\r\nInitial infection\r\nThe attackers penetrated the enterprise network using carefully crafted phishing emails, some of which use\r\ninformation that is specific to the organization under attack and is not publicly available. This could indicate that\r\nthe attackers did preparatory work in advance (they may have obtained the information in earlier attacks on the\r\nsame organization or its employees, or on other organizations or individuals associated with the victim\r\norganization).\r\nMicrosoft Word documents attached to the phishing emails contained malicious code that exploits the CVE-2017-\r\n11882 vulnerability. The vulnerability enables an attacker to execute arbitrary code (in the attacks analyzed, the\r\nmain module of the PortDoor malware) without any additional user activity.\r\nAn earlier series of attacks in which the PortDoor malware was also used was described by Cybereason experts. A\r\nnew version of PortDoor was identified in the course of our research.\r\nhttps://securelist.com/targeted-attack-on-industrial-enterprises-and-public-institutions/107054/\r\nPage 1 of 4\n\nInitial infection of a system\r\nAfter being launched, PortDoor collects general information on the infected system and sends it to the malware\r\ncommand-and-control (CnC) server. In cases where an infected system is of interest to the attackers, they use the\r\nPortDoor functionality to control the system remotely and install additional malware.\r\nAdditional malware\r\nThe attackers used five different backdoors at the same time – probably to set up redundant communication\r\nchannels with infected systems in case one of the malicious programs was detected and removed by a security\r\nsolution. The backdoors used provide extensive functionality for controlling infected systems and collecting\r\nconfidential data.\r\nOf the six backdoors identified on infected systems, five (PortDoor, nccTrojan, Logtu, Cotx, and DNSep) have\r\nbeen used earlier in attacks attributed by other researchers to APT TA428. The sixth backdoor is new and has not\r\nbeen observed in other attacks.\r\nLateral movement\r\nAfter gaining a foothold on the initial system, the attackers attempt to spread the malware to other computers on\r\nthe enterprise network. To gain access to those computers, the attackers use network scanning results, as well as\r\nuser credentials stolen earlier.\r\nThe Ladon hacking utility (which is popular in China) is used as the main lateral movement tool. It combines\r\nnetwork scanning, vulnerability search and exploitation, password attack, and other functionality. The attackers\r\nalso extensively use standard utilities that are part of the Microsoft Windows operating system.\r\nThe attack’s final stage involves hijacking the domain controller and gaining full control of all of the\r\norganization’s workstations and servers.\r\nThe attackers used DLL hijacking and process hollowing techniques extensively in the attack to prevent security\r\nsoftware from detecting the malware.\r\nData theft\r\nAfter gaining domain administrator privileges, the attackers searched for and exfiltrated documents and other files\r\nthat contained the attacked organization’s sensitive data to their servers hosted in different countries. These servers\r\nwere also used as stage one CnC servers.\r\nThe attackers compressed stolen files into encrypted and password-protected ZIP archives. After receiving the data\r\ncollected, the stage one CnC servers forwarded the archives received to a stage two server located in China.\r\nhttps://securelist.com/targeted-attack-on-industrial-enterprises-and-public-institutions/107054/\r\nPage 2 of 4\n\nTransfer of stolen data from infected systems\r\nWho is behind the attack?\r\nSignificant overlaps in tactics, techniques, and procedures (TTPs) have been observed with APT TA428 activity.\r\nThe research identified malware and CnC servers previously used in attacks attributed by other researchers to\r\nTA428 APT group.\r\nSome indirect evidence also supports our conclusion.\r\nWe believe that the series of attacks that we have identified is highly likely to be an extension of a known\r\ncampaign that has been described in Cybereason, DrWeb, and NTTSecurity research and has been attributed with\r\na high degree of confidence to APT TA428 activity.\r\nConclusion\r\nThe findings of our research show that spear phishing remains one of the most relevant threats to industrial\r\nenterprises and public institutions. In the course of the attack, the attackers used mostly known backdoor malware,\r\nas well as standard lateral movement techniques and methods designed to evade detection by security solutions.\r\nThe attack series that we have identified is not the first in the campaign. Given that the attackers have had some\r\nsuccess, we believe it is highly likely that similar attacks will occur again in the future. Industrial enterprises and\r\npublic institutions should do a great deal of work to successfully thwart such attacks.\r\nhttps://securelist.com/targeted-attack-on-industrial-enterprises-and-public-institutions/107054/\r\nPage 3 of 4\n\nTechnical details of the attacks, as well as recommendations and indicators of compromise, can be found in the\r\nfull public version of the article on the Kaspersky ICS CERT website.\r\nA private version of the article has been published on Kaspersky Threat Intelligence.\r\nWe are not wrapping up our investigation as yet and will release information on new findings as they appear. For\r\nmore information, you can contact ics-cert@kaspersky.com.\r\nSource: https://securelist.com/targeted-attack-on-industrial-enterprises-and-public-institutions/107054/\r\nhttps://securelist.com/targeted-attack-on-industrial-enterprises-and-public-institutions/107054/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/targeted-attack-on-industrial-enterprises-and-public-institutions/107054/"
	],
	"report_names": [
		"107054"
	],
	"threat_actors": [
		{
			"id": "2f07a03f-eb1f-47c8-a8e9-a1a00f2ec253",
			"created_at": "2022-10-25T16:07:24.277669Z",
			"updated_at": "2026-04-10T02:00:04.919609Z",
			"deleted_at": null,
			"main_name": "TA428",
			"aliases": [
				"Operation LagTime IT",
				"Operation StealthyTrident",
				"ThunderCats"
			],
			"source_name": "ETDA:TA428",
			"tools": [
				"8.t Dropper",
				"8.t RTF exploit builder",
				"8t_dropper",
				"Agent.dhwf",
				"Albaniiutas",
				"BlueTraveller",
				"Chymine",
				"Cotx RAT",
				"CoughingDown",
				"Darkmoon",
				"Destroy RAT",
				"DestroyRAT",
				"Gen:Trojan.Heur.PT",
				"Kaba",
				"Korplug",
				"LuckyBack",
				"PhantomNet",
				"PlugX",
				"Poison Ivy",
				"RedDelta",
				"RoyalRoad",
				"SManager",
				"SPIVY",
				"Sogu",
				"TIGERPLUG",
				"TManger",
				"TVT",
				"Thoper",
				"Xamtrav",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "20b5fa2f-2ef1-4e69-8275-25927a762f72",
			"created_at": "2025-08-07T02:03:24.573647Z",
			"updated_at": "2026-04-10T02:00:03.765721Z",
			"deleted_at": null,
			"main_name": "BRONZE DUDLEY",
			"aliases": [
				"TA428 ",
				"Temp.Hex ",
				"Vicious Panda "
			],
			"source_name": "Secureworks:BRONZE DUDLEY",
			"tools": [
				"NCCTrojan",
				"PhantomNet",
				"PoisonIvy",
				"Royal Road"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a4aca3ca-9e04-42d1-b037-f7fb3fbab0b1",
			"created_at": "2023-01-06T13:46:39.042499Z",
			"updated_at": "2026-04-10T02:00:03.194713Z",
			"deleted_at": null,
			"main_name": "TA428",
			"aliases": [
				"BRONZE DUDLEY",
				"Colourful Panda"
			],
			"source_name": "MISPGALAXY:TA428",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434593,
	"ts_updated_at": 1775791998,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1d9887d795d2d73cb28bef45bfec1f68452b7492.pdf",
		"text": "https://archive.orkl.eu/1d9887d795d2d73cb28bef45bfec1f68452b7492.txt",
		"img": "https://archive.orkl.eu/1d9887d795d2d73cb28bef45bfec1f68452b7492.jpg"
	}
}