Security Experts:

Connect with us

Hi, what are you looking for?



DHS: Spear Phishing Campaign Targeted 11 Energy Sector Firms

Attackers Targeted Energy Sector Firms

A spear phishing campaign targeted 11 energy sector organizations using publicly available information, according to the Department of Homeland Security.

Attackers Targeted Energy Sector Firms

A spear phishing campaign targeted 11 energy sector organizations using publicly available information, according to the Department of Homeland Security.

Attackers collected employee names, company email addresses, company affiliation, and work titles from an electric utility’s Web site to craft the spear phishing campaign, according to the latest issue of the ICS-CERT Monitor, a quarterly publication released by Homeland Security’s Industrial Control System-Computer Emergency Response Team (ICS-CERT). The names were on a page listing the attendees at a recent committee meeting.

The list gave “the attacker the company knowledge necessary to target specific individuals within the electric sector,” ICS-CERT said. The attack email pretended to be someone the targeted people knew and informed the recipients that the sender’s email address had changed. The emails contained a link to a site hosting malware, although some variants had the malware as an attachment.

“Luckily no known infections or intrusions occurred,” ICS-CERT wrote in the latest issue of the ICS-CERT Monitor. The campaign started and ended in October.

Attackers regularly use social media and professional organization and industry conference Web sites as part of their reconnaissance activities, warned ICS-CERT. The publicly available information is used to craft convincing spear phishing campaigns which have a higher likelihood of successfully tricking the targeted individual to click on the malicious link or open a booby-trapped file attachment.

The latest ICS-CERT Monitor also referenced the spate of watering-hole attacks where attackers exploited two zero-day vulnerabilities to compromise legitimate Websites such as the Council of Foreign Affairs and Capstone Turbine Corporation. During the course of its investigation, ICS-CERT “has learned of numerous asset owners across multiple sectors who were compromised” via a watering hole attack, ICS-CERT said. The attackers used the zero-days, including one affecting Internet Explorer 6, 7, and 8, to hijack the sites and host malware. Unsuspecting visitors to the site would be infected.

ICS-CERT issued an alert about watering hole attacks in January because it was concerned they “could be leveraged by sophisticated attacks to target critical infrastructure asset owners.” ICS -CERT continues to evaluate this incident.

It was not clear how many other energy sector and infrastructure owners were impacted nor whether if the “multiple sectors” referenced by ICS-CERT included Facebook, Twitter, Apple, and Microsoft, who’d been affected by a watering hole attack this year.

To prevent spear phishing, users should not click on Web links or open attachments from unsolicited emails. Organizations should minimize the amount of business-related information, such as job titles, company email, organizational structure, and project names, and personal data being posted on social media Websites. If the information is listed on third-party sites, organizations should contact the site owner and that the data be taken down, according to ICS-CERT.

As for the watering hole attacks, organizations needed to review their policies and requirements for browsing software and ensure common applications are up-to-date with the latest patches.

Related Reading: Critical Infrastructure is the New Battleground for Cyber Security

Related ReadingPutting SCADA Protection on the Radar

Related Reading: SCADA Honeypots Shed Light on Attacks Against Critical Infrastructure

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Serious vulnerabilities found in Econolite EOS traffic controller software can be exploited to control traffic lights, but the flaws remain unpatched.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Vulnerabilities in GE’s Proficy Historian product could be exploited for espionage and to cause damage and disruption in industrial environments.


A hacktivist group has made bold claims regarding an attack on an ICS device, but industry professionals have questioned their claims.


Vulnerabilities in industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to OT networks.