Mandiant details malicious industrial-themed phishing emails, warns of broad implications for OT defenders

Mandiant researchers said that they have analyzed a dataset of over 1700 unique, industrial-themed phishing samples delivered to organizations worldwide in 2022. The team built the dataset using a specialized set of industrial-related keywords to search through millions of samples and pinpoint phishing emails impersonating email communications from personnel operating or handling operational technology (OT) and industrial processes.

“Defenders tasked with hunting for potential industrial-targeted attacks can sift out the noise of generic phishing attempts to focus on higher-risk threats and prevent simple compromises from branching out into more impactful events that affect critical production systems,” the researchers wrote in a blog post on Tuesday. “While it may appear that the objectives of these threat actors pose little risk to operational technology (OT) systems, the fast-paced nature and professionalism of their techniques have broad implications for OT defenders.”

Mandiant has regularly observed hackers spreading phishing emails that contain terminology and concepts specific to industrial sectors, such as energy, manufacturing, and water utilities. The use of industrial-themed lures and phishing emails suggests that at least in some cases, actors are tailoring their attacks to target industrial organizations. 

The researchers said that phishing campaigns vary in lure complexity, tooling, volume, and objectives. However, what most phishing campaigns have in common is that they reveal little context about an actor’s end objectives given that they represent the earliest stages of a mission. Seemingly simple phishing that is not necessarily targeted to specific victims can branch out into entirely different post-compromise activity, such as business email compromise (BEC), ransomware deployment, espionage, data leaks, or cyber-physical attacks.

“Industrial-themed phishing emails are particularly risky as they use specialized language that is common for employees that work with OT,” Mandiant said. “Even if the threat actor conducting a phishing campaign does not have enough expertise to cause serious damage on their own, actors often share, sell, or distribute access for other actors to use. In the case of ransomware, we have frequently observed formal affiliation models, where different actors are responsible for different portions of an operation.”

The researchers added that while implementing phishing mitigations is typically out of the scope of OT security personnel, recognizing which compromises have the potential to escalate can help defenders prevent actors from ever reaching high-value targets such as OT systems or assets.

“From our samples, we recovered 1,017 different payloads and, whenever feasible, we determined the malware associated with each sample. We note that our collection only reflects findings from a single large source and as such, is not necessarily representative of the full volume of phishing distribution,” according to the researchers. “The size of the collection is limited to instances that were submitted to the malware repository we utilized. Additionally, each of the samples we analyzed could have been used against one or multiple victims across one or multiple organizations.”

They added that the number of emails identified during the year did not seem to show a clear pattern. “Although we identified a significant increase in activity during March, it is possible these results from extraneous factors such as the number of submitted emails. We did not perform analysis over time to determine the possibility of seasonality,” the researchers further disclosed.

The researchers also revealed that its analysis of industrial-themed phishing samples revealed a total of 34 different malware families, many of which are broadly deployed and used in various types of compromises. “Actors of all motivations regularly use these tools—such as AGENTTESLA, FORMBOOK, or REMCOS—because of their effectiveness and ease to acquire at low or no cost,” they added.

Mandiant said that while defenders may be tempted to overlook some of the readily available malware families, “we identified due to their perceived simplicity or lack of novelty, such malware is often packed using techniques to evade detection and enable actors to gain a foothold and move across target networks. This can provide more sophisticated actors with access and tools necessary to move closer to OT targets while also thwarting attribution efforts due to the generic nature of the malware.”

Malware families that were documented possess different levels of capability, such as backdoors that are fully functional supporting various standard functions, while others are limited to one or a few operations such as harvesting credentials, downloading additional resources, or mining data. Additionally, these malware families are sometimes customizable and can be paired with external ‘crypters’ or packers to evade detection from antivirus engines.

“Some of this malware also includes capabilities such as video and microphone audio collection which have been available in remote access trojans (RATs) for a long time,” Mandiant said. “The availability of such tooling challenges historical notions that only well-resourced threat actors have access to such comprehensive capabilities.”

Mandiant also observed phishing emails with different levels of sophistication. “Some actors developed well-crafted content, assimilating real-life OT-themed communications, while others distributed messages with common phishing traits, such as grammatical mistakes or format errors. Some actors repurposed stolen email chains—also known as reply hijacking—using automated methods in attempts to expand victims and operations,” the post said.

The researchers also identified distribution threat clusters, a defined set of suspected cybercriminal activity whose primary objective is to deliver malware payloads to multiple victims. “While distribution threat clusters only produced a small portion of the phishing emails we analyzed, these samples are especially risky for organizations as they open the door for follow-on activity within the victim network. Campaigns from distribution threat clusters have led to intrusions that resulted in the deployment of post-compromise ransomware. Despite its financial nature, this activity can disrupt the capability of organizations to sustain regular production flows,” they added.

Distribution threat clusters sometimes employ sophisticated tactics, techniques, and procedures (TTPs) to deliver payloads. Some common TTPs used by distribution threat clusters include frequent and fast-paced campaigns using subjects and themes that appear to reply to legitimate email chains to deliver payloads; and automated creation of high-quality phishing lures by, for example, using common, contemporaneous, or sensational phrases or topics. It also includes the use of modified or customized malware combined with heavy obfuscation or packing/encrypting of binaries; adaptation of TTPs and infrastructure to attempt to evade detection and attribution; and use of multi-stage infection chains to deliver payloads.

Mandiant researchers said that most of the phishing activity they observed across industrial-themed phishing samples was distributed en masse. “Opportunistic phishing attempts often use weaker methods that are easily detected and blocked by automated systems such as enterprise email scanning solutions or endpoint protection software. Most often, this activity is associated with common financial crime schemes such as BEC, credential phishing, money mule and shipping scams, IT remote access or individual extortion and fake blackmail,” they added. 

The researchers added that groups involved in opportunistic phishing typically hold no interest in specific industries or organizations. However, actors that succeed in compromising industrial victims could then take advantage by selling the access to other actors at a premium if they realize that it provides potential access to OT.

Mandiant called upon organizations to perform threat modeling in OT environments to identify users and groups with access to OT systems and resources that are high-value targets for threat actors. It also suggests leveraging threat intelligence to learn about common initial access techniques, actor infrastructure, and ongoing campaigns targeting industrial organizations.

Additionally, the researchers recommend using insights gained from threat intelligence and threat modeling, hunting within the environment to identify OT-specific phishing attempts. Furthermore, organizations must hunt for post-compromise indicators such as offensive tooling and evidence of privilege escalation or credential dumping that may indicate that a threat actor has evaded detection during the initial access phase. They must also establish response plans to counter instances where credentials may have been stolen.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.