The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 


You need to be a member of Energy Central to access some features and content. Please or register to continue.


Spear Phishing Campaigns Against US Utilities - Are You the Vulnerability?

image credit: Photo by Pankaj Patel on Unsplash

On the radar since April of this year, spear-phishing campaigns are targeting U.S. Utility companies in waves. The first wave was identified between July 19th and 25th, however, it has been now discovered it started as early as April. The second wave of malicious emails was identified to have occurred between August 21st and 29th of last month. With as many as 17 U.S. Utility companies confirmed as the targets of these malicious campaigns.

What is spear-phishing?

Unlike phishing, where the malicious actor sends out spoof emails where they pretend to be an organization that most users would trust, such as a bank institution, major shopping company, etc. Phisher’s hope one or several out of the many recipients will fall for the facade and click the link or download the malicious packet.

Spear-phishing is a bit more sinister and less spray and pray. Where the entire act requires more effort, calculation, and research. A spear-phisher will gather and obtain as much personal information about the target as possible. In most cases, this includes the targets family, friends, colleagues, company and aligned organizations.

The goal of the spear-phisher is to influence the target to click a link or download malicious content such as an email attachment at a specific location. Whereby implementing social engineering techniques and utilizing the targets personal information the target will reactively respond and unbeknownst to them, welcome the attack.

Think you can’t be a target, think again.

For many internet users, the idea of being a target of a cyberattack may seem foreign and less likely. Unfortunately, SPAM filters are just a frail layer of minor protection. The developed user comfort and heavy reliance on firewalls and SPAM filters, as well as other minor security layers, maximizes security vulnerabilities to you, your family, friends, colleagues, and your organization.

One of the best ways to protect yourself and your organization from these attacks is to understand the tactics of a malicious actor and understand what they are after. Information!

The Spear-Phishing Mindset

In this example, we will use the pseudonym “John Doe” as the “mark” and our way into our actual “target,” his organization. In this exercise, we will go through the thought process as if we were a spear-phisher in order to gain a full picture of our own vulnerabilities, that way we can protect ourselves, people we are close to as well as our organizations from future spear phishing attacks.

How does a Spear-Phisher gather information?

Mimicking a spear-phisher: We see a news article about a company of interest on our news feed, it mentions a few names of those affiliated with said company.

  • Do they have a company page on Twitter, Facebook, LinkedIn, etc.?
  • Which, users are interacting with the company pages the most and the least?
  • Do any of the users mention that they work for the company or an aligned institution?
  • Does the user have a public profile?
  • What is their position in relation to the company?

Looks like John Doe, uses his name across Facebook and LinkedIn as well as seems to enjoy political arguments where he leaves his Facebook profile public to engage.

John’s “About Section” shows that he is the father of Jane and Joe and graduated in 1990 from ‘Mark State University.’

Looking at John’s kid’s profiles we see Joe has a varsity football game coming up at his high school next week and Jane has a crush on someone in her 10th-grade chemistry class.

John’s wife, Jill is a realtor for the same neighborhood in which the children’s high school is. Her profile is public as well and can be assumed as one of her main communication methods to connect with clients easily.

Now we know the high school from Joe and Janes pictures, the realtor information from John’s wife, a few of her clients and we can assume that John lives nearby as it is also within 20 miles from our main “target”, John’s company.

As pretend “spear phisher’s” let’s review what information we have already gathered:

  • Employer, email suffix, location, phone, website, management team, partner organizations and after a preliminary search of the company email suffix we see that most emails lead with the first initial followed by the last name where John’s would be
  • Children’s, grade-level, age, school location, friends, schedule, birthdays, how they look, and interests based on their posts.
  • Jill, Johns’ wife’s job and location, birthday from previous posts, her friends, clients, contact information and her appearance.
  • John’s interest, sports teams, political views, food, checked-in locations (places he frequents), how long he worked for his company, etc.

Now with this information, there are a bunch of things we could do but let’s take it a step further by entering John’s full name and location into the search bar.

  • John leaves reviews for products purchased online as well as search engine reviews for services received offline. From those products and services, we see that John has a few hobbies as well as has a dog who he took to the vet last March.
  • An obituary listing shows that John has lost one of his parents, last year and after cross-referencing with his Facebook post we can confirm this was his father.
  • Public records available online show his birth year, house lot, community memberships, etc.

With the above information, a malicious actor can create an email or phone call that could invoke fear, influencing John to panic, responding with more information or in the case of an email select the link or open an attachment, infecting his personal computer or company servers.

NOTE: In social engineering, this is a psychological tactic that invokes alarm and urgency and like the mechanics of propaganda urges the target to impulsively react deciding based on emotion, overriding logic.

Why is it important that we know how a malicious actor gathers information?

The above example is just one of the many ways a malicious actor can gather information, however, it is important for you to know this mindset because it highlights how anyone of us can be a target and what we can do about it, for example:

  • Minimizing what personal information is available online.
  • Verify sender or caller information from trusted offline sources (Phonebook, Rolodex, Better Business Bureau, Communication Logs, etc.).
  • Search yourself as if you were a spear-phisher, what information can you find out about yourself, your family, and your company?
  • Reach out to webmasters that are hosting your information and command your information be removed from their websites.
  • Disinformation can also make it difficult for a spear-phisher and could tip you off that they searched your information from what source. This could be done by using a wrong name, address, interests, and other information on your profiles, especially those that you are having a hard time getting removed.

The above-scenario highlights why organizations are especially more vulnerable. Most of their information is public and each employee can be viewed as an access point to a hacker. Not to mention, if the company is advertising job openings where a hacker could easily send an email with an attachment labeled “resume.doc.” In most cases, many malicious actors only have to dive in as far as a website’s partner page or search press releases to find a way to penetrate the targeted company, as they attempted just recently this year.

How was spear-phishing used to attack U.S. Utility entities?

Unlike in the scenario above, July this year, the bad actors created a false website to impersonate a U.S. engineering license board with emails designed to align with the actor-controlled website as well as utilized the actual logo of the company they were impersonating.

The emails contained malicious macros embedded in a Microsoft Word attachment that when opened installs and runs malware. This malware consists of a remote access Trojan or RAT module and a proxy mechanism used for command and control communication. This means upon system infection a remote unauthorized user can gain system control.

In this case, the actors sent fraudulent emails stating that the utility companies failed an examination with the attached document labeled, “Result Notice.doc.”

Then in August, malicious actors used similar tactics however in this instance, the hackers claimed to be a licensing body related to the utility sector. Utilizing a similar web address mimicking the known utility affiliate and its legitimate logo, copied from its website. However, in these emails, they attached an MS Word document labeled “take the exam now.doc.” as well as a manual in PDF format adopted from the legitimate site. Showing that the culprits are increasing their sophistication concerning social engineering as well as information gathering and enhancing their malicious efforts.

Although previous cyberattacks have yet to cause a major blackout to U.S. Utility entities we are certain that the critical infrastructure providers are a major target for these malicious actors. Where hackers targeting the energy sector is a constant threat, putting utilities “at the forefront of the new cyber battlefield,” Jason Haward-Grau, the chief information security officer at cybersecurity firm PAS Global. With the recent news of malicious actors’ persistence via spear-phishing attempts, the purpose of these attacks was to infect employees at U.S. utility companies with the LookBack RAT. Whereas, it’s imperative that we stay vigilant and proactive in preventing this sort of infiltration.

How to protect an organization from spear-phishing cyberattacks?

In the above instances, the affiliated researchers told Threatpost that the malicious emails were blocked before they could infect the unnamed utility companies. Even though the emails were blocked we can assume that the attacks will become more advanced and persistent.

To further protect your company, it is advised:

  • To provide continuous security awareness training for all employees on how to spot cybersecurity threats, such as suspicious emails.
  • Setup internal controls for training employees on when not to respond and to always notify as well as escalate questionable email activities.
  • Monitor and confirm that employees have completed their training before interacting with any company connected device.
  • Map out when and how employees need to alert their IT and OT technology managers making them aware of any suspicious emails or computer systems activity.
  • Setup internal security protocols to identify suspicious emails that make it through SPAM filters and what to do if one is borderline questionable.
  • Communicate to employees which applications are authorized by the company and which patches are approved.
  • Only allow OT/IT company approved applications that are necessary for system operations.
  • Enhance cybersecurity by implementing a patch management system that adheres to NERC-CIP standards.
  • Deploy frequent system scanning and monitoring protocols.
  • Implement internal controls and technologies to identify unusual behavior and notify the governing departments for further investigation.
  • Use traditional methods such as approved firewalls, anti-virus, detection as well as scanning software, and other authorized safety precautions dictated by the company’s IT and OT technology managers.

Furthermore, the sooner your IT and OT technology managers become aware of the presence of any suspicious cyber activity such as spear-phishing attempts, malicious applications or packets, suspicious system activity, the sooner the attack can be halted, addressed, then communicated the cyberthreat to other critical infrastructure providers, who also may be a target.

In order to identify, prevent, assess, recover, and protect our entities and grids from any and all unauthorized cyber infiltration, it is imperative that cybersecurity is constantly communicated across all departments, teams as well as between entities.

Tiffany Aliano's picture

Thank Tiffany for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.


Matt Chester's picture
Matt Chester on Sep 27, 2019 12:57 pm GMT

Definitely need the tech solutions to fight this, but it really does come down to educating people. As folks in IT would say, oftentimes these come down to issues that are PMAC (problem exists between monitor and chair) or PICNIC (problem in chair, not in computer) issues. Well-educated and prepared workers must be the first line of defense

Tiffany Aliano's picture
Tiffany Aliano on Sep 28, 2019 4:38 pm GMT

PEBKAC (Problem Exist Between Keyboard & Chair) is the one I recall using and I agree. Each employee with device access is our first-line of defense and should be well educated on how to respond. Especially, since malicious actors sees each employee as a gateway into the system. 

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »