24 Jul 2024


Controls operators are duped by bogus emails

False emails are said to be the entry route used for more than 90% of targeted cyber-attacks, in a technique  known as “spear-phishing”.

In the experiment, Tyler Klinger, a security researcher with Critical Intelligence and Scott Greaux of PhishMe, sent spear-phishing emails to more than 70 employees working on industrial controls and other critical systems at two companies involved with power plants and pipeline maintenance (with the companies’ agreement). They found the employees’ email details using the Jigsaw service that provides crowd-sourced contact information for sales teams, and confirmed the addresses via company and industry Web sites and LinkedIn, which also revealed their contacts.

Using this information, they sent emails to the targeted individuals that appeared to come from colleagues and contacts, and seemed to offer job opportunities or software training. The addressees were invited to click on a link for more details. One email focused on a Rockwell Automation product that the target was familiar with, and included a link that appeared to go to Rockwell’s Web site. 

Of the 23 employees who worked on industrial control systems in one company, seven clicked on the link. Of the 49 employees targeted in the second company, 11 clicked the link. One person clicked on the bogus link four times when it didn’t appear to work. The job titles of those targeted included automation technician, control room supervisor and process controls engineer.

Clicking on email links can allow attackers to access company networks. Reporting his findings to the recent S4 security conference in Florida, organised by Digital Bond, Klinger pointed out that even if attackers could not access a target company’s Scada systems, they could still gather information from emails and instant messaging systems.

According to Dale Peterson, founder and CEO of Digital Bond, the most important lesson from the spear-phishing experiment is that “it demonstrates that computers on corporate, Internet and external networks are easily compromised and should not regularly connect to industrial control systems (ICSs). These connections should be limited to emergency situations with specific processes to enable the temporary access.”

In a blogged comment, Peterson points out that if the spear-phishing victims’ browsers were missing security patches, their computers could be compromised. Attackers could also load keystroke-loggers or similar programs and gain whatever access the computer or user had to the company’s ICS.

The lesson to learn from the experiment, says Peterson, is to treat corporate networks as “untrusted” and to prevent inbound access to the ICS, except for emergencies. Companies should also work on the spear-phishing aspects of their security awareness programmes, and their incident response capabilities.

♦  According to research published last year by the security specialist Trend Micro, 91% of targeted cyber-attacks start with a spear-phishing email. Some 94% of these emails use malicious file attachments as the payload or infection source, with the remaining 6% using other methods such as installing malware through malicious links. The main file types used by attackers were: .RTF (38%), .XLS (15%), and .ZIP (13%). Executable (.EXE) files are not as popular among cybercriminals, probably because they are usually detected and blocked by virus-checkers.