Global Phishing Campaign Targets the Energy Sector and Other CNI Enterprises

What we know

A recent phishing campaign, reported by Intezer, has targeted companies from all over the world, primarily in South Korea but also in the the US, UAE, and Germany. The topics of the phishing emails used in the attack included power plant projects, wind farm projects and bid opportunity, and were accompanied by payload-bearing files that execute an information stealer upon clicking.

Key findings

• The campaign uses spoofed or typosquatted emails to make them look like part of a normal business-to-business (B2B) correspondence
• The attached files were primarily IMG, ISO or CAB files containing information-stealer malware
• The dropped malware is generally able to steal private information, log keyboard strokes and steal browsing data

[inject id=’code-47fd23f73a9caecab1e206306adae7f9′]

Insights

• Although the attacks were aimed at companies’ IT infrastructure, Radiflow’s findings and experience from risk assessments and IDS implementation projects show that companies like those attacked are typically vulnerable to attacks on their industrial (OT) networks due to:
• Inadequate IT/OT segmentation (or none at all)
• Use of unpatched and vulnerable devices in the OT environment (many of the OT systems targeted still run on end-of-life Windows systems)
• Use of vulnerable network protocols such as SMBv1 which are susceptible to various exploitation techniques
• Even though there has been no formal attribution to any state-sponsored actor, as the majority of victims reside in South Korea, it would be within reason to assume some form of involvement by prominent North Korean groups such as Lazarus Group, Kimsuky, Bluenorof, or Andariel, which are known for their capabilities to launch disruptive cyber-attacks (such as the Sony and WannaCry attacks).
• The malware used in the campaign was intended to covertly collect data, and as such it could have been used to steal commercial trade secrets related to manufacturing and energy.
• Although this attack seems to be aimed at stealing information, it could also be the first stage towards further propagation into the OT environments of energy, oil & gas and manufacturing companies. Given the history of North Korean state-sponsored groups and their capability to launch cyber operations intended to disrupt and destroy network environments, the goal of this specific campaign may have well been to establish a permanent foothold in their victims’ sensitive ICS/OT environments, as preparation to disrupting their critical business operations at some point.

What can be done to mitigate the risk of such attacks​?

• Significantly improve network segmentation: separation between the IT and OT parts of your environments and division of the OT network by business processes or zones could greatly improve the ability to control, monitor and protect the entire network.
• Minimize the usage of non-secure protocols, especially Windows protocols and remote access protocols and software like telnet, VNC and TeamViewer.
• Facilitate continuous monitoring of IT and OT networks while watching for suspicious DNS requests and correlating the findings.
• Increase awareness to phishing risks through offering cyber-awareness training, especially for non-daily-worker external-interfacing employees, e.g. OT engineers or internal project managers.

If you’ve found this article interesting, please visit and follow Radiflow on LinkedIn, where you’ll find a wealth of exclusive content.