Attacks and Vulnerabilities
Critical infrastructure
News
Utilities: Energy & Power, Water, Waste

Honeywell, Schneider Electric targeted in cyber-espionage campaign aimed at renewable energy companies

January 19, 2022
Honeywell, Schneider Electric targeted in cyber-espionage campaign aimed at renewable energy companies

New research has revealed a suspected intelligence-gathering campaign targeting renewable energy and high-profile organizations, such as OT and industrial control systems (ICS) vendors, Schneider Electric and Honeywell. With a particular focus on Bulgaria, the long-running espionage campaign is said to have used multiple credentials harvesting pages to target the email accounts of employees at a number of organizations between 2019 and is ongoing in 2022. 

“The attackers use the same ‘Mail Box’ phishing kit and host many of the pages on them infrastructure, supported by also compromising some legitimate websites,” William Thomas, security researcher at Curated Intelligence, wrote in a blog post. The campaign was linked via its use of a custom Mail Box phishing kit which simply collects the password of any user that visits it, he added. 

“The majority of the phishing pages have been hosted on *.eu3[.]biz, *.eu3[.]org, *.eu5[.]net hostnames (all owned by Zetta Hosting Solutions, AS44476),” Thomas said. Some of the phishing pages were hosted on compromised websites, several of them located in Brazil (*.com[.]br). Many of the domains used by the adversary include phrases such as “update”, “activate”, or “support” and use the “-” multiple times, he added.

Apart from OT vendors like Schneider Electric and Honeywell, the targets in the espionage campaign also included Chinese telecommunications giant Huawei, semiconductor manufacturer HiSilicon, Telekom Romania, and US universities such as the University of Wisconsin, California State University, and Utah State University. 

The campaign also targeted the Kardzhali Hydroelectric Power Station and CEZ Electro, both located in Bulgaria, as well as the California Air Resources Board, Morris County Municipal Utilities Authority, the Taiwan Forestry Research Institute, the Carbon Disclosure Program, and Sorema, an Italian plastic recycling firm. There was also a small cluster of activity in 2019 linked to the same infrastructure targeting multiple banks in Bulgaria too.

“This research was conducted using OSINT techniques such as query public sandbox submissions and passive DNS scan results,” according to Thomas. “From this up to 40 individuals at target organisations from a variety of sectors were identified, but there was a focus on a few such as renewable energy, environmental protection organisations, and industrial technology. This research using OSINT alone is unable to acquire the full story, but hopefully can paint a picture of the motivation of the adversary behind this campaign,” he added.

Thomas said that the Mail Box phishing kit looks very generic and unsophisticated. The lures that led to these credential harvesting pages were never recovered during this research. “However, from visiting the second stage of the kit, the lures are likely using a generic ‘Your Mail Box storage is full’ style phishing email. The landing page for this kit was always called ‘index.php’ and the target’s email address is appended to the end of the phishing URL,” he pointed out.

Two clusters of activity did overlap with some of the campaign artefacts, Thomas said, which includes campaigns attributed to two advanced persistent threat (APT) groups – APT28, also known as FancyBear and attributed to the Russian GRU, and Konni, a group linked to the North Korean RGB. 

On Jan. 14, Google TAG researchers disclosed several hostnames that use the same infrastructure as this campaign, Thomas said. The APT28 hostnames used to phish the credentials of users in Ukraine also used “eu3[.]biz” hostnames and Zetta Hosting Solutions (AS44476). It is currently unknown, however, whether the ‘Mail Box’ phishing kit was used and the domains lack the use of the “-” multiple times, he added. 

Thomas also said that on Jan. 3, Cluster25 revealed a Konni RAT campaign targeting Russian diplomats also using Zetta Hosting Solutions (AS44476) for command and control (C2) domains. “However, the Konni RAT used “c1[.]biz” instead of the other main three hostnames that were observed in this campaign. Based on these links alone, however, it would not be sufficient to say this campaign is connected to either APT,” he added. 

“Attribution using these campaign artefacts and OSINT reports alone was not possible. However, it can be inferred that the adversary behind these attempts appears to be interested in Bulgaria, for starters, plus critical infrastructure, renewable energy, environmental protection agencies, and recycling technology,” Thomas said. 

Supplemental targets such as ICS/OT organizations and educational institutions would complement this intelligence-gathering campaign if access could be obtained at these entities, he added. “From this it could be suggested that the adversary behind this campaign is potentially a major source of fossil fuels and is doing research on the renewable energy sector as a threat to its income,” Thomas added.

This is similar to the targeted credential theft attack as seen in the breach of the Florida water plant in 2020, Bryson Bort, CEO and founder at SCYTHE, wrote in an emailed statement. “The underlying goal depends on the nation-state actor involved. If it’s Russia, then it is a further example of iterative intelligence against our critical infrastructure and possibly putting ‘levers’ in place in anticipation of conflict (Ukraine weighs heavy on the mind). On the other hand, if it’s North Korea, then it could be the reconnaissance phase for future ransomware attacks.” 

Renewables are the fastest-growing energy segment which makes them a target for financially motivated attacks, Bort added. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow's emergency detection systems
Claroty’s Team82 details cyber attack by Blackjack hackers on Moscow’s emergency detection systems
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Kaspersky ICS CERT reports on escalating consequences of cyber attacks on industrial organizations
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Continuous need to face challenges, build strategies across industrial cybersecurity amidst evolving threats
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Strategic Decision-Making in Cyber-Physical Risk Assessments and Cyber Ethics.
Sprinting Toward NIS2 Compliance
Sprinting Toward NIS2 Compliance
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
CISA partners with private sector after Sisense security breach, as critical infrastructure sector potentially impacted
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet's FortiClient EMS
Forescout discloses Connect:fun exploitation campaign targeting organizations using Fortinet’s FortiClient EMS
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
CISA issues Emergency Directive 24-02 in response to Russian cyber threat targeting Microsoft email accounts
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
European Commission recommends Coordinated Implementation Roadmap for transition to Post-Quantum Cryptography
HP details evolution of Raspberry Robin malware, shift in distribution method and threat landscape
HP details evolution of Raspberry Robin malware, shift in distribution method and threat landscape