Energy sector trends show that spear phishing and other sophisticated social engineering techniques are at work in disrupting energy suppliers. For more than a year, cyber criminals have attempted to leverage these tactics to spread common remote access trojans (RATs). The RATs enable hackers to carry out cyber espionage activities.
Energy sector trends: Energy suppliers at-risk
These fraudulent spear phishing emails have been received by major gas and oil equipment and technology firms, organizations involved in global power plant projects, and other energy and engineering groups. The risk is real, as demonstrated via the Colonial Pipeline attack that occurred earlier this year.
What to look for: Spear phishing, cyber espionage
To launch each attack, the cyber criminals specially tailor emails to specific employees at a given energy supplier. Varying levels of pre-attack reconnaissance work appear to have been conducted, as some emails come across as more highly targeted than others.
Emails tend to look legitimate due to references to actual executives, inclusion of real-world physical addresses, regular-looking logos, and names of known companies cited in the text. Information pertaining to contracts, referrals/tenders and ongoing projects may also appear in the mix.
The hackers seem well-versed in traditional business email (B2B) correspondences. Within the phony emails, content appears to offer business partnerships or opportunities.
In an attempt to make emails appear even more authentic, cyber criminals fill the “From” email field in with names of organizations that very likely are familiar to intended victims.
To execute this well, the hackers take the time to register a domain name that spoofs an existing domain name. They may swap a lower case letter with an upper case letter, making the address look perfectly legitimate to the untrained eye.
The cyber criminals behind this energy sector campaign appear to have gone to significant length in order to lure victims into opening malicious attachments. And, traditional antivirus tools may not help in avoiding them.
Malware evading detection by antivirus scanners
To further flummox victims, email attachments are titled with names that complement the content of the spear phishing email. However, the attachments contain .NET malware, which typically arrives in a .IMG, .ISO or .CAB file. These file types can manage to evade email-based antivirus scanners.
Experts state that the malicious attachments are used to install the RATs onto systems, allowing for cyber espionage. The RATs in use are:
- Agent Tesla
- Loki and Snake Keylogger
With these RATs, cyber criminals can obtain sensitive corporate information, from banking details to keystrokes. Although energy suppliers appear as the primary targets, hackers involved in these campaigns have also hyper-focused on manufacturing, IT and media groups. Victims hail from numerous nations, including the United States, the United Arab Emirates, Germany and South Korea.
Some cyber security researchers suggest that this is simply the first wave of attacks within a larger cyber criminal campaign. The thinking is that once hackers get into a single network, they may extract sensitive data that enables them to send spear phishing emails to that firm’s suppliers. As a result, the bad actors can hit additional organizations, sending them RATs, ransomware or other forms of malware.