Kaspersky’s ICS CERT team, its analytics unit, has uncovered a sophisticated cyber attack campaign, codenamed SalmonSlalom, targeting industrial organizations and government agencies across the Asia-Pacific (APAC) region. The attackers employed a multi-stage malware delivery system, utilizing legitimate cloud services and software to avoid detection and gain remote access to operational technology (OT) systems.
The threat actors used phishing emails, disguised as tax-related documents, to deliver malware through Zip archives via platforms like WeChat and Telegram. This led to the installation of FatalRAT, a remote access Trojan (RAT), which allowed the attackers to manipulate devices, steal sensitive information, and delete critical files. The attack primarily impacted countries including Taiwan, Malaysia, China, Japan, the Philippines, and more.
Kaspersky noted a significant shift in attack tactics, with the threat actors exploiting Chinese cloud services such as myqcloud and Youdao Cloud Notes. By dynamically altering control servers and payloads, and using legitimate software features, they effectively evaded detection.
Evgeny Goncharov, Head of Kaspersky ICS CERT, warned that this campaign exemplifies the evolving threat landscape, urging organizations in the APAC region to enhance their cybersecurity measures. He stressed the need for proactive defenses to protect critical assets and data from sophisticated threat actors.
While the campaign’s origins are not conclusively attributed, the use of Chinese-language services and technical indicators suggests a Chinese-speaking threat group may be involved.
Kaspersky advises organizations to adopt robust security measures, including enabling two-factor authentication, deploying up-to-date security solutions, and implementing proactive monitoring systems to mitigate risks posed by such advanced threats.
