Global Phishing Campaign Targets the Energy Sector and Other CNI Enterprises
Jul 12, 2021 | Radiflow team
What we know
A recent phishing campaign, reported by Intezer, has targeted companies from all over the world, primarily in South Korea but also in the the US, UAE, and Germany. The topics of the phishing emails used in the attack included power plant projects, wind farm projects and bid opportunity, and were accompanied by payload-bearing files that execute an information stealer upon clicking.
The campaign uses spoofed or typosquatted emails to make them look like part of a normal business-to-business (B2B) correspondence
The attached files were primarily IMG, ISO or CAB files containing information-stealer malware
The dropped malware is generally able to steal private information, log keyboard strokes and steal browsing data
Although the attacks were aimed at companies’ IT infrastructure, Radiflow’s findings and experience from risk assessments and IDS implementation projects show that companies like those attacked are typically vulnerable to attacks on their industrial (OT) networks due to:
Inadequate IT/OT segmentation (or none at all)
Use of unpatched and vulnerable devices in the OT environment (many of the OT systems targeted still run on end-of-life Windows systems)
Use of vulnerable network protocols such as SMBv1 which are susceptible to various exploitation techniques
Even though there has been no formal attribution to any state-sponsored actor, as the majority of victims reside in South Korea, it would be within reason to assume some form of involvement by prominent North Korean groups such as Lazarus Group, Kimsuky, Bluenorof, or Andariel, which are known for their capabilities to launch disruptive cyber-attacks (such as the Sony and WannaCry attacks).
The malware used in the campaign was intended to covertly collect data, and as such it could have been used to steal commercial trade secrets related to manufacturing and energy.
Although this attack seems to be aimed at stealing information, it could also be the first stage towards further propagation into the OT environments of energy, oil & gas and manufacturing companies. Given the history of North Korean state-sponsored groups and their capability to launch cyber operations intended to disrupt and destroy network environments, the goal of this specific campaign may have well been to establish a permanent foothold in their victims’ sensitive ICS/OT environments, as preparation to disrupting their critical business operations at some point.
What can be done to mitigate the risk of such attacks?
Significantly improve network segmentation: separation between the IT and OT parts of your environments and division of the OT network by business processes or zones could greatly improve the ability to control, monitor and protect the entire network.
Minimize the usage of non-secure protocols, especially Windows protocols and remote access protocols and software like telnet, VNC and TeamViewer.
Facilitate continuous monitoring of IT and OT networks while watching for suspicious DNS requests and correlating the findings.
Increase awareness to phishing risks through offering cyber-awareness training, especially for non-daily-worker external-interfacing employees, e.g. OT engineers or internal project managers.
If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.