Phishing Attacks: Why Energy Companies and Utilities Are Getting Zapped

Editor’s Note: This blog post was originally found on the Agari Email Security blog.

By John Wilson

The Wall Street Journal’s report that a dozen US-based utilities were targets in a recent wave of coordinated phishing attacks should set off alarm bells throughout the sector and beyond.

Energy producers and utilities don’t just keep the lights on. They play a unique role in a country’s critical infrastructure, encompassing economic health, public safety, and national security — making them appealing targets for state-sponsored hackers and saboteurs.

For years, hackers linked to Russia and Iran have probed for weaknesses in energy and utility cybersecurity defenses around the world. Among their top prey: oil and gas producers, nuclear power companies, and electrical grid operations. And in nearly every instance, their strategies have included phishing emails targeting the weakest link in most organizations’ security: humans.

Organizations hit by a continuous barrage of phishing attacks often face an expensive, high-stakes problem that’s hard to solve with traditional email security practices.

Phishing: Rising Costs, Serious Risks

The average annual cost of cyberattacks was $17.84 million per utility company in 2018, according to Accenture’s 2019 Cost of Cybercrime Report. That’s a 16% jump from 2017. Energy companies saw average annual losses rise to $13.77 million. Yet bad as it is, the consequences for successful email attacks on energy producers and grid operators can easily eclipse remediation costs.

Government and cybersecurity company investigations have shown that state-sponsored attackers have spent years phishing for nuclear reactor technology, login credentials for power plant control engineers, and other sensitive data. The fear is that successful phishing campaigns could have serious consequences for the organizations that fall victim, as well as for the constituents and communities they serve.

It’s a valid fear. A 2017 report, for instance, found that one group of threat actors had successfully phished their way into US and European energy companies, gaining “hands-on access to power grid operations.” In other words, they had the ability to shut off the lights in the countries these organizations operated. Why didn’t they? We don’t know, but analysts are concerned that the attackers are holding on to that information to exploit later — maybe at a time of international turmoil.

Utilities are vulnerable to other types of email-enabled sabotage, too. A 2018 report from Aon describes a plausible scenario involving a phishing attack on a hydroelectric dam contractor. Ten days after stealing employee credentials and accessing the dam’s control network, attackers could open all the floodgates all at once, causing catastrophic flooding.

Email Attacks Go Nuclear

Energy companies and utilities operate advanced technology, and security has been a major issue since long before cyber-espionage was a glimmer in Putin’s eye. How are state-sponsored attacks getting around security controls? Sophisticated social engineering tactics delivered via email

In the case of the US grid hack, investigators say conspirators linked to the notorious Dragonfly hacker group emailed New Year’s Eve party invitations to energy sector targets. They also sent emails with industry-centric content to get targets to open attachments that would exfiltrate the victim’s network login credentials.

Last October, the US indicted seven Russian intelligence operatives for a phishing attack on Westinghouse Electric Company’s nuclear power operations. In that case, phishing emails directed victims to a fraudulent Westinghouse website hosted on a lookalike domain and designed to collect employees’ login credentials. According to the Justice Department, the attack appears to have played a part in “technical reconnaissance” aimed at gaining access to IP addresses, domains, and network ports.

In another phishing attack on US nuclear facilities reported in 2017, criminals posed as jobseekers sending resumes to plant control engineers. The resumes contained credential-harvesting malware that the attackers apparently hoped would give them access to safety and operational systems. Thankfully, the FBI reports that the perpetrators were only able to access business and administrative networks.

That hack of the US grid that took bad actors all the way to operational access? It didn’t start with an attack on power companies. Instead, the hackers targeted utility companies’ vendors and partner email systems. Once trusted email accounts at those organizations were successfully infiltrated, they were used to launch email attacks designed to dupe power plant employees into downloading documents and sharing sensitive information. And it’s getting worse.

In 2019, there has been a spike in spear-phishing attacks on US oil and gas businesses. Investigators suspect Iran is the culprit behind one email campaign targeting executives with a fake job recruiting message impersonating the White House Council of Economic Advisors. Clicking the link would lead to the installation of malware like the kind that has struck Middle Eastern oil and gas installations in the recent past. Considering Iran’s track record of targeting companies like Saudi Aramco for data destruction, the current phishing campaign is a major concern for US fossil fuel producers and refiners.

Keeping Imposters Out of the Inbox

In all these cases, attackers rely on the simple fact that people are highly susceptible to well-timed email messages that appear to be sent by people they trust. Old-school secure email gateways (SEGs) and first-generation advanced threat protection (ATP) products aren’t designed to filter out these advanced email attacks. As a result, individual employees are left to make snap judgment calls about the safety of the messages in their inbox.

By contrast, modern email security solutions analyze incoming email based on past sender behavior and a host of other signals to identify messages that are authentic and trustworthy. Using our own solution as an example, Agari Secure Email Cloud applies advanced data science and real-time intelligence from trillions of emails to ferret out attempts at identity deception and block incoming phishing and other socially-engineered email assaults. In the event a phishing email slips through and is detected post-delivery, the solution contains it and even removes it from all the organization’s inboxes automatically.

As it stands now, Lloyds of London estimates that a single, coordinated phishing attack against power plants, utilities and other critical infrastructure could lead to $193 billion in losses worldwide. Which means energy and utility companies may find there’s plenty of incentive to deploy solutions to protect against state-sponsored phishing attacks — or risk getting zapped into major losses of their own.

Learn more about how Agari Secure Email Cloud detects, defends and deters phishing and other advanced email attacks, click here.