Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

1/18/2013
07:36 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Spear-Phishing Experiment Targets, Hooks Energy Firms

More than one-fourth of utility employees in experiment fell victim to spearphishing emails

MIAMI, FL – S4 Conference – Spear-phishing is everywhere in targeted attacks today -- even in the SCADA/industrial control systems (ICS) world. A recent experiment involving two real-world utilities showed just how successful those types of campaigns can be: Twenty-six percent of utility employees clicked on a link in the phony emails.

The experiment, conducted last month by open-source intelligence expert Tyler Klinger of Critical Intelligence and Scott Greaux of PhishMe, also demonstrated how easy it is to gather the necessary intelligence to target key individuals within an ICS organization, including those with access to actual process control systems.

With the help of Digital Bond, Klinger was able to line up three utilities in the gas and electric industries to participate in the experiment. Klinger found valuable but seemingly benign information online in the public domain about employees at the utilities and then used that intelligence to craft convincing spear-phishing emails with "malicious" links. One of the three dropped out of the project after the first phase, but Klinger was able to fool employees with titles including control room supervisor, instrument technician, automation technician, pipeline controller, process control engineer, senior vice president of operations and management, and equipment diagnostics lead.

"If 26 percent of your ICS people are able to get pwned, that's a pretty telling statistic," Klinger said in his presentation here yesterday. And all of the information he needed was available online, via LinkedIn, industry websites, company websites, job postings, crowdsourcing directory site Jigsaw, and other sites. He found users' email addresses, job titles, SCADA product specialties, and other juicy information that could be used to craft convincing, targeted emails.

The goal was to determine how successful spear-phishing can be used in the ICS world, and to demonstrate how attackers can use open-source online intelligence to gain a foothold in a utility or other ICS organization.

"This is pretty serious," says Digital Bond's Peterson. Given the list of titles of employees who fell for the email, an attacker trying to get remote access to a control room or other parts of the network would have hit pay dirt, he says.

Critical Intelligence's Klinger said even if an attacker was unable to connect to the SCADA network via the victim, he would still have plenty of information from the user via emails and instant messaging, for instance.

"Most people think that spear-phishing doesn't even apply to ICS," he said. But most major targeted attack campaigns against businesses and government entities have all started with a spear-phishing attack, he says, such as Shady RAT, Night Dragon, and Shamoon.

According to Trend Micro, 91 percent of targeted attacks involve spear-phishing.

The experiment was only about attacking via email, but it's the cross-contamination that could occur afterward in a real attack that's, of course, the biggest risk, he said. "An engineer with access to the network who downloads firmware ... if one who's hit then plugs" in his machine in the process control network, an attacker could then mess with the ICS systems, he says.

The phony emails included ones posing as a message from a utility supervisor with a link that appeared to be from the firm's website, and another that focused on a Rockwell product known by the victim and included a link that appeared to go to the vendor's website.

Victims who fell for the ruse did so mostly from PCs, and a smattering of other devices were used, including an iPhone.

So how can utilities protect themselves and their employees from spear-phishing attacks? Klinger said you need to know where your company and employees' information resides online in public view. "You've got to review the public source out there and how attackers can use this information," he said. "Then implement policies accordingly."

Even an organization's email schema can be abused by attackers. "One change would be to have ICS people have different emails," which would limit access on sites like Jigsaw, for instance, he says.

One control room supervisor who fell for the phish actually clicked on the phony link four times, wondering why it didn't work. "He tried once and then, an hour later, tried again," Klinger says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1243948024382
50%
50%
ANON1243948024382,
User Rank: Apprentice
1/18/2013 | 5:55:41 PM
re: Spear-Phishing Experiment Targets, Hooks Energy Firms
Phishing / Spear Phishing tests have been going on for years and are usually pretty successful in showing how vulnerable folks are to these attacks. -I'm sure these results will be no surprise to -any security person that has read the article. -It's kind of like proving that water will freeze when placed in your freezer. -

We need to be spending more time discussing how to fix this by either education or removing the ability for end users to be duped by attackers.-
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Take me to your BISO 
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-23369
PUBLISHED: 2021-05-10
In YzmCMS 5.6, XSS was discovered in member/member_content/init.html via the SRC attribute of an IFRAME element because of using UEditor 1.4.3.3.
CVE-2020-23370
PUBLISHED: 2021-05-10
In YzmCMS 5.6, stored XSS exists via the common/static/plugin/ueditor/1.4.3.3/php/controller.php action parameter, which allows remote attackers to upload a swf file. The swf file can be injected with arbitrary web script or HTML.
CVE-2020-23371
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in static/admin/js/kindeditor/plugins/multiimage/images/swfupload.swf in noneCms v1.3.0 allows remote attackers to inject arbitrary web script or HTML via the movieName parameter.
CVE-2020-23373
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/nav/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.
CVE-2020-23374
PUBLISHED: 2021-05-10
Cross-site scripting (XSS) vulnerability in admin/article/add.html in noneCMS v1.3.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the name parameter.