For threat actors of the most malicious kind, be it nation-states or terrorists, critical infrastructure related to energy has always been a top target. Nuclear facilities of various types are always high on this list as the amount of damage in both monetary and human terms can be catastrophic. This is simply a fact not intended to frighten, as I do not wish to fear-monger, but cybersecurity professionals have a responsibility to understand the threats that global citizens face.
The latest threat to energy facilities, especially of a nuclear variety, has come by way of template injection. As reported by the Cisco Talos researchers, starting around May 2017 there was an uptick in attacks that tried to gain user credentials (most likely to seek control of key functions in the facility) and other sensitive data using Word document phishing. This attack in and of itself is not new, however, the way in which it is carried out is rather different than before.
Typically in a Word document phishing attack, a threat actor cloaks malicious code in the actual DOCX that executes upon download and opening of the file. In the case of these template injection attacks, however, the hackers utilize “a template file over an SMB connection so that the user’s credentials can be silently harvested.” Additionally, as the Talos team points out in their report, “this template file could also potentially be used to download other malicious payloads to the victim’s computer.”
The email that this Word document is found in looks something like this:
So besides avoiding sketchy-looking emails, what can be done to prevent these type of attacks on energy facilities? The Cisco Talos team recommends that IT divisions at any company, but especially those in charge of key energy infrastructure should block “outbound protocols such as SMB except where specifically required for your environment.” SMB protocols have been the cause of a great deal of cyberattacks in recent times, and this is no different.
Photo credit: Wikimedia