This enables the attackers to gain remote control of infected systems. The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS). Notably, the first similar attacks were recorded as far back as 2015. The content of each email reflects the activity of the organization under attack and the type of work performed by the employee to whom the email is sent.Īccording to the data that we have collected, this series of attacks started in November 2017 and is currently in progress. The phishing emails are disguised as legitimate commercial offers and are sent mainly to industrial companies located in Russia. Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.