UPDATE: Added picture of email text
Digital Bond recently had a nice little spear phishing attempt, from an email account registered to look like Dale, to a Digital Bond employee. The attack linked to a probably-malicious .zip file based upon an old research paper that we published. There are no AV signatures for the payload. It was a one-shot deal: the nameserver for the domain used in the attack is located on a compromised box.
It’s a bit concerning that a company whose sole focus is securing industrial control systems should be spear phished. The attacker clearly went to enough trouble to try to understand ICS security lingo to get the employee to open the link, and had to compromise a DNS server. It is likely that the perpetrator also compromised a second server to serve up the malicious file goodness (the domain server is in Philadelphia, PA for the interested, and may or may not have hosted the malicious file as well). The DNS records have been updating constantly since we began investigating.
Thankfully the attack was unsuccessful — paranoia pays off. It is definitely a lesson in ‘be careful what you open’…even if looks to be coming from Digital Bond (or your boss, as in this case), don’t open a file if you aren’t expecting it…
DP Update – I added the email below. It is text I have written before and I believe the file title is from a paper that Daniel Peck and I wrote for S4 2009. The file that that was linked was a .zip. The only thing that was unbelievable was the signature of just “Peterson”.
I used to point to this story on Spear Phishing from 2005. In that story, West Point cadets were tested in their computer security course — the instructor spear phished his own students, pretending to be a non-existent superior officer. Most of the students fell for the attack. The high percentage of victims at West Point may not reflect private industry very well — these are military cadets taught that following orders is their number one priority. I think that internal ‘fake spear phishing’ like the kind done at West Point is a great practice, but I have yet to encounter a company or .GOV organization that actually does it…
Image by cleanplait
Hi Dale,
I guess I am saying welcome to my nightmare… So far Dossing is the only success I have suffered no actual compromises of note.
Goes to show your raised profile has got your site noticed. I had a similar experience – different MO about two months ago that was particularily of note.
I do have close family in the USA that I never talk about in public or un trusted relationships and that was the basis of the well crafted and on the surface well designed attack. I think the good news is that they always seem to have some little defect that is in plain site that you can pick up on.
BTW The SCADA mail list site has been hit so hard and often lately I’m kinda glad that it has a different data center to what it hads been before last year It is fairly bullet proof now from DOS/DDOS attacks.
My domain cops so many targeted attacks that i’ve started a best attack of the week distribution to researchers.
Lemme know if you want to be added to teh distribution list some are quite humerous.
Did you submit the payload to any AV vendors for analysis? I am interested in knowing what they come back with. If its a new strain or a variant of an existing strain.
Hi Justin,
No we did not, but we have no shortage of talent looking at it. There will be another article on Monday with more details on what it is and indicators on who it points to. The reason we are being so open with this info is we have been looking for a good ICS spear-phishing example to make a point, and unfortunately one fell into our lap.
Owner/operators and vendors should realize that a motivated, directed attacker will try to compromise a SCADA/DCS admin or engineers corporate system with the hopes that that system is allowed into the control center. We actually had a paper on this for S4 2012, but it got pulled. Maybe in 2013.
Reid did submit it to VirusTotal and most of the popular vendors you see in corporation (McAfee, Symantec, Trend, Kaspersky, F-Secure, …) did not detect it.
Dale
Dale,
Push the AV vendors hard with this one to detect it. I recently found a new strain of virus which none of the vendors on virus total detected. Sophos was the first to detect it, followed by Fortinet, then Norman. If I find a new strain I submit to them first. The .dll was encrypted and the run key looked like it specified a password. The properties of the file made it look like it was a legitimate Russian grammar engine. I was unable to determine the vector of attack in this case but was happy to get protection from Mcafee in the end.
Thanks for being so open. Its scary to see how it used your name and ICS security terms.
Signature’s arn’t cutting it anymore. Organizations need to focus on behavior based and whitelisting methods. Mikko hits the nail on the head in this article: http://www.wired.com/threatlevel/2012/06/internet-security-fail/
Feel free to contact me if you need any additional help on the analysis.
I just saw the Ned Moran post. Great that the analysis was able to be done quickly.
Reid,
You’ll be happy to hear that many organizations now include mock phishing exercises such as the one used by Mr. Pelgrin during his tenure as CISO for the State of New York. PhishMe customers have trained over 3.1 million employees across multiple industry verticals and government agencies using the unique Immersive Education Experience that mock phishing provides.
Since PhishMe’s inception in 2008 we have found that immediately presenting engaging, bite-sized educational materials to those that fall “prey” has the desired effect of reducing human vulnerability to spear-phishing attacks. On an average, 58% of the employees of an organization are shown to be vulnerable during first-run mock phishing exercises. After several exercises customers are able to drive the susceptibility rate down to the single digit percentages.
So, although you may not hear many organizations discussing their mock phishing exercises I hope you’ll find comfort in the fact that a growing number of Fortune 500 firms embrace the concept and have active mock phishing programs.
PS – great work on the analysis and thanks for sharing the email
Best,
Scott Greaux
Look at the email addresses. It’s apparently from the boss’s yahoo account and sent to the employees yahoo account (via, er, gmail). What company sends its business communications out via yahoo?
So could a PRISM request have been made to monitor the email address dale.peterson111@yahoo.com to try and detect the parties involved?
Could say an organization like ES-ISAC work with the NSA to get make these requests?
Reading this article today make me think about remember when this event happened: http://www.washingtonpost.com/world/national-security/how-a-shared-e-mail-address-disrupted-plots-in-britain-and-us/2013/06/18/ebb023c4-d84b-11e2-a016-92547bf094cc_story.html