An online attack this year targeted 11 energy companies by using employee information published online to craft tainted emails, a Department of Homeland Security report said.
The attackers pulled names, email addresses and other biographical information published on an electricity company’s website and then used that information to craft emails to other energy companies, the report said.
Those emails prompted viewers to click on a link to learn the new email address of someone they knew, said the quarterly report published Wednesday by the department’s Industrial Control Systems Cyber Emergency Response Team.
“Malicious emails were crafted informing the recipients of the sender’s new email address and asked them to click on the attached link,” the report said. “This link led to a site that contained malware.”
Though the attack targeted 11 energy companies, no known infections or intrusions occurred, the report said.
Malware is a substantial threat to energy companies as it can infect systems that control and monitor important operations, ranging from temperature controls at a power plant to the flows in an oil or gas pipeline that could be altered to become a hazard. Offshore systems also use control systems, which are prevalent in businesses throughout the world to ensure that operations run smoothly.
The government report also singled out a recent attack that was similar to a past infection at a state government facility. That incident resulted in hackers gaining control of systems and altering temperatures at the state facility, the report said.
Key to the email attack on energy companies was the information about employees published online, according to the government analysis.
“Employee names, company email addresses, company affiliations, and work titles were found on the utility’s website on a page that listed the attendees at a recent committee meeting,” the report said. “This publicly available information gave the attacker the company knowledge necessary to target specific individuals within the electric sector.”
The report recommended reducing information about employees published online, to cut the threat of spear phishing attacks, which involve links in malicious emails that lead to infections.
“Publicly accessible information commonly found on social media, as well as professional organization and industry conference websites, is a recognized resource for attackers performing reconnaissance activities,” the report said. “With this information, attackers can craft convincing spear phishing and have a higher likelihood of successfully convincing the targeted individual to click on the malicious link or attachment.”