At least 500 industrial organizations in 50 countries including Canada have been targeted by in a spear phishing attack that includes tools for stealing data, according to Kaspersky Labs.

The report comes in a company blog, which says the attacks began in August and are continuing. “The worst affected were companies in the smelting, electric power generation and transmission, construction, and engineering industries. Most of the organizations attacked were vendors of industrial automation solutions and system support contractors.”

Of note is that the emails had subject lines that could convince unsuspecting recipients that they were from a legitimate source, including fake commercial suppliers or shipping companies sending an updated price list, banks asking customers to validate banking information, or confirmation of equipment delivery.

Documents attached in the emails are RTF files containing an exploit for the CVE-2015-1641 Microsoft Office vulnerability which allows an attacker to remotely run code. It was patched in April,2015.

Experts have been warning for years that supervisory control and data acquisition (SCADA) and industrial control (ICS) systems have weaknesses that can be exploited by attackers, making critical infrastructure open to manipulation.

Kaspersky notes that most of the emails it has seen were sent from legitimate email addresses belonging to valid organizations — in fact in some the subject line contained the actual text used in an organization’s correspondence. “That can only happen if the source emails were accessible to hackers and were, possibly, compromised earlier,” says the analysis.

The malicious apps used in the attachment includes specific VB and MSIL packers that can diminish the ability of antivirus to detect the malware used. They include the FareIT/Pony 2.0 loader that steals credentials from a number of applications including Google Chrome, Internet Explorer, and numerous FTP (file transfer protocol) uploaders.

After gathering information the data is sent to a command and control server, which downloads more malware, including the Luminosity RAT, which includes a file manager for searching and removing victims’ files; and the HawkEye Keylogger, which collects system and networking parameters from compromised systems and steals passwords from email clients, web browsers, P2P clients and password managers; and the Zeus Atmos trojan, a variant of the Zeus banking malware, which can inject code into web applications and web pages, grab data from forms, steals security certificates and does other nasty things.

The post includes indicators of compromise for security teams to watch for.