Russian cybersecurity company Kaspersky has unearthed a vast spear-phishing campaign targeting industrial, manufacturing and oil and gas companies.

Spear-phishing is a variant of phishing that sees attackers send carefully tailored emails to specific targets. They are presented as authentic and relevant messages, but in reality contain malware or other malicious content, or lure the target into providing the attackers with sensitive personal data.

In this case industrial companies were targeted with emails that appeared to contain legitimate accounting or procurement letters, such as invitations to tender from major companies, which were carefully tailored to individual recipients to look as authentic as possible. However, while they looked real, they either resulted in the recipients downloading malicious attachments or externally linked malicious software.

The resulting software is used to remotely control the infected computer to search for and acquire purchase documents or financial software. Using this information the attackers are then able to commit various forms of financial fraud against the target companies.

The spear-phishing campaign appears to be exclusively targeting Russian industrial companies at present. So far an estimated 400 companies have been affected.

Spear-phishing campaign exposes human risk

The spear-phishing campaign highlights how, for all the improvements companies are making in cybersecurity, humans remain one of the biggest risks to an enterprise.

“No matter how much cybersecurity solutions advance, the human element remains the main vulnerability and often it’s simply because people are trying to be thorough and perform their work duties to the best of their abilities,” said Robert Capps, vice president at NuData Security, a Mastercard company.

“This attack shows why phishing is such a major worry for cybersecurity professionals, and why that concern must reach up to the boardroom. The internet now contains vast amounts of stolen user data that facilitates spear-phishing. When bad actors combine these troves of information with the social media content of employees, they can quickly amass the means to approach, penetrate and loot high-value targets strategically – and these oil, gas, and industrial entities certainly are.”