|Data Sources||File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server|
|Asset||Engineering Workstation, Human-Machine Interface, Control Server, Data Historian|
Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.1
- ALLANITE utilized spear phishing to gain access into energy sector environments.2
- APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code.3 APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies.4
- Dragonfly 2.0 used the Phishery tool kit to conduct spear phishing attacks and gather credentials.56 Dragonfly 2.0 conducted a targeted spear phishing campaign against multiple electric utilities in the North America.78
- Dragonfly sent pdf documents over email which contained links to malicious sites and downloads.9
- HEXANE has used malicious documents to drop malware and gain access into an environment.10
- Lazarus group has been observed targeting organizations using spearphishing documents with embedded malicious payloads.11 Highly targeted spear phishing campaigns have been conducted against a U.S. electric grid company.12
- OilRig used spearphishing emails with malicious Microsoft Excel spreadsheet attachments.13
- The Backdoor.Oldrea RAT is distributed through a trojanized installer attached to emails.14
- BlackEnergy targeted energy sector organizations in a wide reaching email spearphishing campaign. Adversaries utilized malicious Microsoft Word documents attachments.15
- Antivirus/Antimalware - Deploy anti-virus on all systems that support external email.
- Network Intrusion Prevention - Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity.
- Restrict Web-Based Content - Consider restricting access to email within critical process environments. Additionally, downloads and attachments may be disabled if email is still necessary.
- User Training - Users can be trained to identify social engineering techniques and spearphishing emails.
- Enterprise ATT&CK. (2019, October 25). Spearphishing Attachment. Retrieved October 25, 2019.
- Jeff Jones. (2018, May 10). Dragos Releases Details on Suspected Russian Infrastructure Hacking Team ALLANITE. Retrieved January 3, 2020.
- Jacqueline O'Leary et al.. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved December 2, 2019.
- Andy Greenburg. (2019, June 20). Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount. Retrieved January 3, 2020.
- Symantec. (2017, September 6). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 14, 2017.
- Sean Baird, Earl Carter, Erick Galinkin, Christopher Marczewski & Joe Marshall. (2017, July 07). Attack on Critical Infrastructure Leverages Template Injection. Retrieved December 5, 2019.
- Dragos Threat Intelligence. (2018, September 17). THREAT INTELLIGENCE SUMMARY TR-2018-25: Phishing Campaign Targeting Electric Utility Companies. Retrieved January 3, 2020.
- Dragos Threat Intelligence. (2018). ICS Activity Groups and Threat Landscape. Retrieved January 3, 2020.
- ICS-CERT. (2017, October 21). Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved October 23, 2017.
- Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Eduard Kovacs. (2018, March 1). Five Threat Groups Target Industrial Systems: Dragos. Retrieved January 3, 2020.
- Robert Falcone, Bryan Lee. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved November 19, 2019.
- Daavid Hentunen, Antti Tikkanen. (2014, June 23). Havex Hunts For ICS/SCADA Systems. Retrieved April 1, 2019.
- Booz Allen Hamilton. (n.d.). When The Lights Went Out. Retrieved October 22, 2019.