Natural Gas Pipeline companies are currently facing a major targeted phishing attack from a single source according to the Christian Science Monitor. The attacks that seemed to have begun in December 2011 have caused the DHS to release three amber alerts, and the ICS-CERT team to release an incident response report on Friday:
“That fact was reaffirmed late Friday in a public, albeit less detailed, “incident response” report from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), an arm of DHS based in Idaho Falls. It reiterated warnings in the earlier confidential alerts made directly to pipeline companies and some power companies.”
The incident response report explained that an analysis of the attacks shows that attacker was using a “spear-phishing” technique:
“Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign from a single source. It goes on to broadly describe a sophisticated “spear-phishing” campaign – an approach in which cyber attackers attempt to establish digital beachheads within corporate networks.”
Natural Gas companies in the US and Canada seem to be the focus of the attacker and according to the article, some of the intrusion attempts may have been successful:
“Multiple natural gas pipeline organizations have reported either attempts or intrusions related to this campaign.“
Spear-phishing is an attack where the attacker researches certain individuals at a company using both online public and private resources. Public corporate news is analyzed, as well as individual’s social media sites, like Facebook and LinkedIn. The information gained is them used in a social engineering attack, usually a specially crafted e-mail that contains malicious links or attachments.
When the target runs the attachment or clicks on the link, remote access to the target’s computer is obtained or the attacker could harvest credentials or other pertinent information.
It is too early to tell who is responsible for these intrusions, but with the current concern of SCADA and public infrastructure attacks, it will be interesting to see which country or entity is behind this attack.