Days after news broke last week that advanced, persistent threat actors penetrated nuclear facilities, researchers are explaining techniques used by adversaries to gain toeholds in similar targets in energy. Cisco Talos reported Friday that email-based attacks, leveraging template injection techniques, targeting nuclear facilities and others have been ongoing since May.
“Talos has observed attackers targeting critical infrastructure and energy companies around the world, primarily in Europe and the United States. These attacks target both the critical infrastructure providers, and the vendors those providers used to deliver critical services,” researchers wrote on Friday.
Adversaries are leveraging classic Word document-based phishing attacks, they said. However, the Word document attachments used in the phishing campaigns do not contain malicious VBA macros or embedded scripting. Instead, attachments attempt to download a malicious template file over a Server Message Block (SMB) connection so that the user’s credentials can be harvested, researchers said.
Cisco Talos did not claim this specific attack was used against Wolf Creek Nuclear Operating Corporation or in connection with any specific attack cited in a joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week. Neither did researchers claim attacks had ever led to a hacker breaching or disrupting the core systems controlling operations at an energy plant.
“One objective of this most recent attack appears to be to harvest credentials of users who work within critical infrastructure and manufacturing industries,” Talos wrote.
Targeted phishing attacks included DOCX type documents delivered as attachments under the guise of being an environmental report or a resume. While no malicious macros or scripting is embedded in the document, when a user opens it, a request is made via the SMB protocol for a template, as such “Contacting:\\ . . . \Template.dotm.”
“The document was trying to pull down a template file from a particular IP,” they noted. That connection was not via TCP 80 (often used for C2 communications), rather the SMB request was via TCP 445, a traditional Microsoft networking port.
Within the sandboxed VM “a WebDAV connection was attempted over a SMB session when requesting the template.”
WebDAV is a Web-based Distributed Authoring and Versioning extension to the HTTP protocol that allows users to collaboratively edit and manage files on a remote server, according to WebDAV Working Group.
Using the WebDAV connection, the DOCX file requests a specific Relationship ID that is present in word/_rels/settings.xml.rels, or the XML instructions. According to researchers, the Relationship ID is identical to a phishing tool named Phishery, which uses the exact same ID in its template injection.
Phishery is known as a credential harvester with a Word document template URL injector. According the GitHub tool description, “Phishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication.” Once the target opens the Word document attachment sent in the phishing email, the template request reaches out to a Phishery server that triggers a dialogue box on the victim’s computer requesting a Windows username and password.
Talos researchers said Phishery was not used in the attacks it observed. It theorizes attacks may have used modified Phishery code or used the same Relationship ID to thwart analysis.
In the sample Talos examined, unlike with Phishery that prompted users for credentials, instead a template file is requested from a third-party server with no Basic Authentication prompt for credentials. “Such a prompt was not needed nor seen for samples requesting the template over SMB,” they wrote.
Once the target opens the Word document a template request is made to a third-party server that initiates the download of a potentially rogue template. “The attachment instead tries to download a template file over an SMB connection so that the user’s credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim’s computer,” researchers said.
Talos explains that the attacker’s SMB server was down when it analyzed samples, making it impossible to determine the payloads (if any) that could have been dropped by the template being downloaded. “Forcing SMB requests to an external server has been a known security vulnerability for many years. Without further information it is impossible to conclude what the true scope of this attack was or what malicious payloads could have been involved.”
According to a New York Times report of attacks against Wolf Creek Nuclear Operating Corporation included phishing lures with highly targeted email messages containing fake resumes for control engineering jobs.
Late last month, the U.S. government warned critical infrastructure companies of hacking campaigns against nuclear and energy sector. “Historically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,” the report said.