Hackers Are Stress-Testing Critical Infrastructure Security with Phishing Attacks
Since about May 2017, hackers have been running attacks on critical infrastructure environments like electricity utility companies and nuclear plants.
The New York Times reported last week that threat actors “have been penetrating the networks” of companies that operate these critical systems, citing one specific nuclear power facility in Kansas.
In addition, the Department of Homeland Security last week issued a joint report with the Federal Bureau of Investigation in which the two agencies that delivered an “amber warning,” which is the second-highest threat rating.
The agencies said in a joint statement that there is “no indication of a threat to public safety” and that the impacts of these cyber attacks appear to be limited to administrative and business networks, not the networks running critical equipment.
It appears instead that hackers are looking to map the networks of such organizations and establish a foothold presence for future attacks. Investigators were unable to analyze the actual malicious payload of these attempts, which makes a full determination all but impossible.
Talos, Cisco’s threat intelligence group, has also reported technical details of attacks on critical systems. In a blog post last week, Talos said that threat actors, using e-mail based attacks, have been testing critical infrastructure targets for weaknesses.
In one particular attack, Talos researchers reported in their blog that threat actors are using crafted phishing e-mails that contain Word document attachments. Unlike traditional phishing attacks that utilize Word documents, these attachments contain no scripts or macros that execute. Instead, the attachment downloads a template file over SMB with the goal of harvesting user credentials silently.
The template file, Talos researchers write, could also be used to download other payloads in the future if the download is successful.
Talos, again since May, has observed attackers targeting critical infrastructure organizations like those named before around the world, but notably in the United States and Europe.
It’s not entirely clear aside from gathering credentials and establishing a foothold what the next stages of these attacks will be, if any. But it’s clear that infrastructure organizations, those that run the most critical systems, need to show extra diligence around their network operations and security.
A main learning lesson here, Talos researchers wrote in their post, is “the importance of controlling your network traffic and not allowing outbound protocols such as SMB except where specifically required for your environment.”
In February just this year, the Ponemon Institute issued findings of a survey that indicate the majority of oil and gas companies have known vulnerabilities. Industries like manufacturing, oil and gas are experiencing a rapid digital change, but the cybersecurity measures are not keeping pace. A major finding from the survey was the 67 percent of respondents (leaders responsible for security in the oil and gas industries) that said the threat to their organizations “substantially increased,” but yet only 35 percent of those same respondents indicated that they had a “high” readiness level.