Spearphishing attacks on energy firms tied to years-long global hacking operation

A recent barrage of well-crafted phishing emails aimed at employees at U.S. energy companies, including one nuclear facility, is tied to a years-long international campaign to steal user credentials and gather intelligence from the industry.

The New York Times and Bloomberg reported Thursday that the FBI and Department of Homeland Security had recently warned several U.S. energy companies about the threat of hackers attempting to break into their networks by using specially tailored spearphishing emails and watering hole-style attacks.

John Hultquist, who leads U.S. cybersecurity firm FireEye’s cyber-espionage analysis division, said that he’s been independently tracking this same operation and that FireEye customers were warned about it roughly five weeks ago.

“We’ve tied this recent operation to a campaign that started all the way back in 2015, which extends beyond the U.S., and has targeted companies in the Middle East and Western Europe … specifically in Turkey and Ireland,” said Hultquist.

This older campaign employed similar indicators, tools and techniques as the incidents that came to light this week.

The malware distributed is designed to harvest login credentials and conduct reconnaissance. It’s not intended to be destructive or disruptive in nature; as was the case with a recent Petya incident, which spread globally from hijacked updates rolled out by a Ukrainian accounting software company.

There is no evidence to suggest that these same phishing emails supplied a virus that could manipulate industrial control systems.

Related infections appear isolated only to front offices, based on a technical analysis of the  malware’s capabilities. With that being said, it’s possible that these phishing emails are just one step in a larger plan that involves physical damage.

“While these phishing emails do not have a destructive payload, often initial delivery payloads are not destructive,” explained Blake Darche, co-founder of anti-phishing cybersecurity firm Area 1 Security. “Instead, the hacker will use the initial foothold to expand access by acquiring enablement information such as usernames, passwords, and hashes. In fact, some hackers will wait pre-position access years in advance in order to be ready to deploy a destructive payload during a time of war.”

The intent of the attacker in this case is not yet clear.

Other cybersecurity researchers with access to samples of the phishing emails told CyberScoop that the malware amounted to “run-of-the-mill” material in quality. These researchers chose to speak on condition of anonymity to discuss a sensitive and ongoing investigation.

“While the focus is on power plants today, these same phishing techniques are used across all verticals including financial services, manufacturing, and health care,” Darche said.

The phishing emails contained several different variations of an infected Microsoft Word document, disguised as a resume for an engineering applicant and a industrial control system standards explanation document. In each case, if the attachment was opened, it would upload a Word document which would then call back to the attacker’s command and control infrastructure.

“The method is believed to work by referencing remote files within the documents, which the victim’s system attempts to retrieve via SMB (TCP/445),” explained Hultquist. “The retrieval of the file over SMB may lead to a SMB authentication attempt, which the attackers can use to scrape the encrypted credentials. Once collected, the actors can leverage brute-forcing methods to determine the plaintext of the encrypted credentials.”

The watering hole attacks involved actors infecting websites that would typically be visited by energy sector employees. This included implanting malware inside an energy industry news publication and other websites, said Hultquist. When someone would visit one of these websites and click on the page, a download would begin.

Employees of large corporations, including those involved in the energy sector, regularly receive phishing emails. What makes this recent incident special is that a cursory review of the available evidence suggests the motive for the hackers was not financial.

It’s still too early to accurately attribute the group responsible for these attempted intrusions, experts say.

Although Hultquist said that his team is hunting those responsible for the intrusions, it’s not immediately clear who is behind the expansive operation. Bloomberg reported, citing unnamed experts familiar with the investigation, that Russia could be involved.

The New York Times pointed to a hacking group dubbed “Energetic Bear,” which is believed to be affiliated with Russia’ Federal Security Service.

Energetic Bear was last seen actively hacking into targeted organizations in 2014, said Hultquist. They haven’t been spotted by FireEye since.