Researcher Discovers Cyber espionage Campaign Targeting The Renewable Energy Industry

Security researcher William Thomas has discovered a cyber espionage campaign targeting renewable energy companies. The campaign, running since at least 2019, uses a custom ‘Mail Box’ toolkit, an unsophisticated phishing package that deploys on the actors’ infrastructure, as well as legitimate websites compromised to host phishing pages. The phishing campaign works to steal login info from employees of renewable energy firms, environmental protection organizations and industrial tech in general. Organizations targeted by the phishing attacks include Schneider Electric, Honeywell, Utah State University, HiSilicon and more.

I reached out to Saryu Nayyar, CEO and Founder, Gurucul for a comment, and here’s what she said:

“While the attack itself is deemed “unsophisticated”, this is a perfect example of an elaborate industrial espionage campaign targeting multiple sectors to disrupt or steal data from a specific industry. While simple, this phishing attack is difficult to defend, however, with a next generation SIEM that supports behavioral analytics supported by adaptable machine learning models, the abnormal communications to suspicious domains can immediately be prioritized for security teams to investigate and determine if a real threat exists. If the campaign is indeed purported by proponents of the fossil-fuel industry, it is indeed unfortunate. Renewable energy companies need to invest more in cloud-native analytical security solutions to protect themselves against this type of threat, but also nation state threat actors looking to steal intellectual property for their own energy programs.”

This should not only put renewable energy companies on notice, but all companies on notice as it is safe to assume that other campaigns like this exist. Which means that defences need to in place to make sure that you do not become a victim.

UPDATE: Bryson Bort, CEO & Founder, SCYTHE had this to say:

This is similar to the targeted credential theft attack as seen in the breach of the Florida water plant in 2020. The underlying goal depends on the nation-state actor involved. If it’s Russia, then it a further example of iterative intelligence against our critical infrastructure and possibly putting “levers” in place in anticipation of conflict (Ukraine weighs heavy on the mind). On the other hand, if it’s North Korea, then it could be the reconnaissance phase for future ransomware attacks. Renewables are the fastest growing energy segment which means they’re a target for financially motivated attacks. 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: