Kaspersky researchers noted a new campaign by Chinese APT hackers targeting air-gapped systems of industrial organisations in Eastern Europe.

Hackers are reportedly using 15 implants in their procedure, all having different purposes, from maintaining remote access to stealing data. Researchers shared TTPs, IoCs and other details for system admins to identify the threat activity and remain secure.

Stealing Industrial Data in Europe

Researchers at Kaspersky have detailed the new campaign of APT-31 (a Chinese state-sponsored hacking group also known as Zirconium) targeting air-gapped systems of industries in Eastern Europe.

To the unknown, air-gapped systems are those isolated machines from the public internet and other computers in a network that store critical data securely. Companies have their store business secrets safe from external parties.

Since such air-gapped systems contain crucial data, hackers are interested in targeting them, even though it’s hard. They often use extreme social engineering attacks or USB drives to infect the systems and spread remotely from there.

Kaspersky noted one such campaign from APT-31, which started in May last year. In three stages, the threat actor uses 15 implants to gain remote access, maintain persistence, collect data and export it to the hacker’s command and control (C2) servers.

Researchers also noted a dedicated implant that decrypts and injects its payload into the memory of a legitimate process, sleeps for 10 minutes, and eventually steals all the necessary files. The malware archives the stolen files using WinRAR and stores them in temporary local folders, and finally exports the data to Dropbox later.

Kaspersky’s technical report contains all the necessary data, such as malware hashes, a complete set of indicators of compromise, TTPs etc., to identify and thwart the attacks and keep the air-gapped systems safe.