Connect with us

Hi, what are you looking for?



ICS Vendors Targeted in Espionage Campaign Focusing on Renewable Energy

Major industrial control system (ICS) vendors and other types of organizations have been targeted in a cyberespionage campaign that appears to focus on renewable energy.

Major industrial control system (ICS) vendors and other types of organizations have been targeted in a cyberespionage campaign that appears to focus on renewable energy.

The campaign, which started in at least 2019 and is ongoing, was analyzed by William Thomas, security researcher at Curated Intelligence. While the findings are limited due to the analysis relying solely on OSINT techniques, they are nevertheless interesting.

Using public sandbox submissions and passive DNS scans, Thomas identified tens of users apparently targeted in a phishing campaign that leveraged a basic “Mail Box” phishing kit to harvest usernames and passwords. The phishing pages are hosted on dedicated domains, as well as on compromised websites.

ICS vendors targeted in phishing attacks

Based on the targeted email addresses, the operation is aimed at the employees of organizations in various sectors, but the focus appears to be on renewable energy. Targets include employees of ICS vendors such as Honeywell and Schneider Electric, Chinese communications giant Huawei, and Chinese chipmaker HiSilicon.

The phishing was also aimed at several universities in the United States, including the University of Wisconsin, California State University, and Utah State University.

NGOs and government organizations have also been targeted, including the California Air Resources Board, the Morris County Municipal Utilities Authority, the Taiwan Forestry Research Institute, and the Carbon Disclosure Program.

Other victims include the Kardzhali power plant and the CEZ Electro electricity supplier in Bulgaria, Romanian telecoms company Telekom, and Italian plastic recycling firm Sorema. Some of the infrastructure used in this campaign was also used back in 2019 to target multiple banks in Bulgaria.

Advertisement. Scroll to continue reading.

While attribution is difficult, the researcher found links to two known activity clusters — one previously attributed to the threat group known as APT28 and Fancy Bear, which is believed to be Russian intelligence, and one attributed to Konni, which has been tied to the North Korean government. However, there is insufficient evidence to definitively link the phishing attacks to either of these threat actors.

Learn more about ICS threats at SecurityWeek’s ICS Cyber Security Conference

“Attribution using these campaign artefacts and OSINT reports alone was not possible,” Thomas wrote in a blog post. “However, it can be inferred that the adversary behind these attempts appears to be interested in Bulgaria, for starters, plus critical infrastructure, renewable energy, environmental protection agencies, and recycling technology.”

The researcher added, “Supplemental targets such as ICS/OT organisations and educational institutions would complement this intelligence gathering campaign, if access could be obtained at these entities. From this it could be suggested that the adversary behind this campaign is potentially a major source of fossil fuels and is doing research on the renewable energy sector as a threat to its income.”

Thomas has made available indicators of compromise (IoC) and other technical information on this campaign.

Related: Thousands of Industrial Systems Targeted With New ‘PseudoManuscrypt’ Spyware

Related: ‘WildPressure’ Campaign Targets Industrial Sector in Middle East

Related: Cybercriminals Target Industrial Organizations in Information Theft Campaign

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The easiest way for a cyber-attacker to gain access to sensitive data is by compromising an end user’s identity and credentials. Things get even...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona