A spear phishing campaign targeted 11 energy sector organizations using publicly available information, according to the Department of Homeland Security.
Attackers collected employee names, company email addresses, company affiliation, and work titles from an electric utility’s Web site to craft the spear phishing campaign, according to the latest issue of the ICS-CERT Monitor, a quarterly publication released by Homeland Security’s Industrial Control System-Computer Emergency Response Team (ICS-CERT). The names were on a page listing the attendees at a recent committee meeting.
The list gave “the attacker the company knowledge necessary to target specific individuals within the electric sector,” ICS-CERT said. The attack email pretended to be someone the targeted people knew and informed the recipients that the sender’s email address had changed. The emails contained a link to a site hosting malware, although some variants had the malware as an attachment.
“Luckily no known infections or intrusions occurred,” ICS-CERT wrote in the latest issue of the ICS-CERT Monitor. The campaign started and ended in October.
Attackers regularly use social media and professional organization and industry conference Web sites as part of their reconnaissance activities, warned ICS-CERT. The publicly available information is used to craft convincing spear phishing campaigns which have a higher likelihood of successfully tricking the targeted individual to click on the malicious link or open a booby-trapped file attachment.
The latest ICS-CERT Monitor also referenced the spate of watering-hole attacks where attackers exploited two zero-day vulnerabilities to compromise legitimate Websites such as the Council of Foreign Affairs and Capstone Turbine Corporation. During the course of its investigation, ICS-CERT “has learned of numerous asset owners across multiple sectors who were compromised” via a watering hole attack, ICS-CERT said. The attackers used the zero-days, including one affecting Internet Explorer 6, 7, and 8, to hijack the sites and host malware. Unsuspecting visitors to the site would be infected.
ICS-CERT issued an alert about watering hole attacks in January because it was concerned they “could be leveraged by sophisticated attacks to target critical infrastructure asset owners.” ICS -CERT continues to evaluate this incident.
It was not clear how many other energy sector and infrastructure owners were impacted nor whether if the “multiple sectors” referenced by ICS-CERT included Facebook, Twitter, Apple, and Microsoft, who’d been affected by a watering hole attack this year.
To prevent spear phishing, users should not click on Web links or open attachments from unsolicited emails. Organizations should minimize the amount of business-related information, such as job titles, company email, organizational structure, and project names, and personal data being posted on social media Websites. If the information is listed on third-party sites, organizations should contact the site owner and that the data be taken down, according to ICS-CERT.
As for the watering hole attacks, organizations needed to review their policies and requirements for browsing software and ensure common applications are up-to-date with the latest patches.
Related Reading: Critical Infrastructure is the New Battleground for Cyber Security
Related Reading: Putting SCADA Protection on the Radar
Related Reading: SCADA Honeypots Shed Light on Attacks Against Critical Infrastructure