“One click, then boom”: Spear-phishing could “black out” energy companies, expert warns

Spear-phishing attacks on energy companies are becoming increasingly sophisticated, an expert has warned – and all it takes is one lucky strike to cause devastating damage to the power grid, or to companies which supply oil and gas.

“The way malware is getting into these internal networks is by social engineering people via email,” Rohyt Belani, CEO of anti-phishing training firm PhishMe, told PC World.

The Department of Homeland Security’s ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) documented more than 100 incidents between October 2012, and May 2013. Several involved sophisticated spear-phishing (targeted phishing) emails – using company websites and other data available on the internet, before sending targeted emails.

Belani cited an example of a night-shift worker controlling SCADA systems – the computerised systems which monitor industrial processes – who was targeted with a highly specific and believable spear-phishing attack.

The unknown cybercriminals had researched his name, and the fact he had four children, and sent him an email, seemingly from the company’s HR department, which related to health insurance for workers with three or more children.

“You send them something that’s targeted, that contains a believable story, not high-volume spam,” says Belani. “People will act on it by clicking a link or opening a file attached to it. Then, boom, the attackers get that initial foothold they’re looking for.”

A Congressional survey of electrical utilities earlier this year found that companies faced up to 10,000 attacks per month. Out of 53 companies surveyed, more than a dozen described attacks on their systems as “daily” or “constant”.

One company complained of being under a “constant state of ‘attack’ from malware and entities seeking to gain access to internal systems.”

This April, a spear-phishing attack which targeted an American electrical company was documented in this month’s Monitor report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Again, in that case, the cybercriminals had done their research. The attack used a published list of attendees at a committee meeting to target employees with a malware-infected phishing email. The company site had listed the email addresses and work titles of everyone at a meeting – which was enough information for cybercriminals to craft a convincing-looking tailored attack directed at the company.

ICS-CERT says it has responded to more than 100 incidents targeting the energy sector between October 2012 and May 2013.

“The majority of these incidents involved attacker techniques such as watering hole attacks, SQL injection, and spear-phishing attacks. In all cases, ICS-CERT evaluates the information available to determine if successful compromise has occurred, the depth and breadth of the compromise, and the potential consequences to critical infrastructure networks.”