The Department of Homeland Security is warning critical infrastructure operators about a malicious email campaign. The campaign has targeted government facilities as well as companies in the chemical, critical manufacturing, and energy industries, according to a report released Friday. The campaign, reported by the DHS Industrial Control Systems Cyber Emergency Response Team, follows previous incidents which occurred in early 2014, where the same actors used social engineering tactics and social media to perform reconnaissance and target company employees. The attackers succeeded in partially infiltrating one network. It is not known if the most recent campaign caused any damage. The department did not respond to a request for comment.
The DHS report, which follows on a June report by FireEye Inc. documenting a similar large-scale campaign targeting aerospace, construction, high tech, telecommunications and transportation companies, is one more example of how critical infrastructure operators have been dealing with an increasing amount of phishing attempts that try to trick employees into giving hackers access to their networks.
Both campaigns involved employees clicking on a URL in the email and unknowingly downloading malicious software that targeted a previously unknown bug in Adobe Flash Player, which has since been patched, said a source familiar with the matter. Once downloaded, the malicious software opened a backdoor into victim computers. The emails advertised refurbished computers.
Some recent campaigns have been even more targeted, with attackers seeking employees whose jobs involve transferring data in and out of the organization, said Michael Assante, director of industrial control systems programs at SANS Institute, a cybersecurity research and education organization.
They know that getting to the right people gets them through the security boundary,” said Mr. Assante, who is also the former vice president and chief security officer for the North American Electric Reliability Corp. and former chief security officer for American Electric Power Co. Inc.
In December 2014, for example, a cyberattack caused physical damage to an iron plant in Germany. The attackers gained access to an unnamed plant’s office network through a targeted malicious email and they were ultimately able to cross over into the production network, CIO Journal reported in December. The plant’s control systems were breached which resulted in an incident where a furnace could not be shut down in the regular way and it damaged the whole system.
Typically phishing emails are the first stage of an attack and are used to target a critical infrastructure operator’s business network. “Once they manage to get on the network, they can usually pivot more easily into control systems,” said Robert M. Lee, CEO and co-founder of Dragos Security LLC, a startup that focuses on industrial control systems security.
One reason that attackers are able to make their way into control systems is that some companies have pushed to connect business and production network to get critical data for billing and sales faster to the business side, said Mr. Lee, who is also an industrial control systems research at SANS Institute.
The DHS reports that in one case a malicious actor posed as a perspective job candidate on social media and succeed in getting an employee at a company to open a file, disguised as a resume, and download malicious software. ICS-CERT worked with the company on the incident, which only impacted the company’s business network and not its control system network.