Hackers recently launched a phishing scheme against the energy sector that uses malicious attachments to download a template file via an SMB connection in order to silently harvest credentials, according to a blog post from Cisco Talos.
Last week, multiple news outlets reported that these cyberattackers have been breaching the systems of multiple U.S. energy operators since May 2017. These cyber intrusions prompted the FBI and Department of Homeland Security to issue a joint report and amber warning to utilities companies, including nuclear plants. Talos never specifically refers to this report, but confirmed to SC Media that the attacks its researchers witnessed are the same ones referenced in the amber warning.
It was previously reported that the attackers – presumably Russian – used phishing emails with malicious Word attachments in order to steal credentials that could be used to access targeted systems for the purpose of electronic surveillance, data exfiltration, and perhaps even causing destruction. (It should be noted that the attackers reportedly infiltrated only business and administrative systems, not industrial controls systems, which are typically kept offline and segregated).
Since then, Talos has shed new light on the operation, noting that although malicious Word documents often contain embedded scripts or VBA macros that execute code, these docs instead attempt to download a template file over an SMB connection from an attacker-controlled server.
This template can be leveraged to either steal credentials from an infected machine or deliver malicious payloads to that same machine, although Talos did not describe the mechanics of how this works. Pressed for more details by SC Media, Craig Williams, senior technical leader global outreach manager at Talos, simply responded that the malicious template exploits a well-known “design flaw in the SMB1 protocol,” adding that Talos was unable to determine the template’s ultimate payload.
“In the midst of recent attack trends and global campaigns, it has become easier to pass over simple techniques that serve attackers’ best interests for years. As Talos has recently observed, sometimes new takes on reliable techniques can make them even more effective,” Talos explains in its report, noting it has observed these attacks on critical infrastructure providers in not just the U.S., but also Europe.
In analyzing various samples of the malicious attachments, Talos researchers came across Word documents disguised as resumes from purported job seekers – a tactic that was described in a New York Times report last week. But the Cisco unit also spotted documents in the guise of environmental reports, including one that appears to target Ireland, referencing concerns over downstream impacts on water quality in local rivers.
Further research on the malicious template’s settings found a “Relationship ID” that led back to the GitHub page of a phishing tool called Phishery, which used the exact same ID in its own template injection. Because Phisher does not rely on SMB connections, this could just be a coincidence. However, Talos also speculated that perhaps the attackers “took notice of this tool and either modified it or developed their attack from scratch while sticking to the same concept used by the tool.” Another possibility is that the attackers used the same ID to throw off researchers.
The Talos report notes that the attackers’ reliance on SMB shows that many organizations “are still failing to properly block such egress traffic to public hosts. With no credential prompt needed for the SMB variation, we can come to understand the simplicity and effectiveness of such a technique. If an attacker is able to compromise a host and run such a server internally, the situation becomes significantly more grave.”
Travis Farral, director of security strategy at Anomali and a former ExxonMobil security intelligence supervisor, said in emailed comments that Internet and email “are the two most dangerous things industrial control systems can be exposed to, which is why every system in the corporate network should be considered hostile. It only takes a single infection inside one of these plant networks for a Petya-like worm to find its way into the system, wreaking havoc by disrupting crucial network communications and locking down plant workstations and servers.”
“The only way to keep critical infrastructure safe is to ensure there are no processes or mechanisms in place that link high-risk corporate networks to plant networks, with no exceptions,” Farral added.
Michael Daniel, president of the Cyber Threat Alliance and former cybersecurity coordinator for President Barack Obama, said that this kind of malicious cyberactivity represents a long-term threat that must be countered. “One element of this effort consists of increased information sharing, which would enable critical owners and operators to better protect their systems. Information sharing among vendors also raises the level of cybersecurity awareness across the board, making it harder for the bad guys to carry out their activities,” said Daniel, in emailed comments.