Spear Phishing Attacks Escalate at Nuclear Power Plants, Utilities and Manufacturers

January 21, 2020

The New York Times reported last week that spear phishing attacks have escalated recently targeting nuclear power plants, utilities and manufacturers. The article focused specifically on the threat to nuclear facilities where “spear phishing” was the common cyber attack technique.

Hackers wrote highly targeted email messages containing fake résumés for control engineering jobs and sent them to the senior industrial control engineers who maintain broad access to critical industrial control systems, the government report said.

The fake résumés were Microsoft Word documents that were laced with malicious code. Once the recipients clicked on those documents, attackers could steal their credentials and proceed to other machines on a network.

The FBI is currently saying that there is no imminent danger because the personal computers used by these employees are “air-gapped” and not on common networks. However, others have warned that the frequent use of USB drives to transfer data between systems or upgrade software can be a means to jump the “air-gap.”

Hackers are Mapping Networks for Future Attacks


The Times information source was based on “an urgent joint report” from the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) related in part to attacks targeting the Wolf Creek Nuclear Operating Corporation. The article summarized one finding of the report saying:

The hackers appeared determined to map out computer networks for future attacks, the report concluded. But investigators have not been able to analyze the malicious “payload” of the hackers’ code, which would offer more detail into what they were after.

It is important for IT teams to understand that not every cyber attack or successful spear phishing email leads to immediate credential compromise and harm to the organization. Many more sophisticated attackers will use the penetration to establish a beachhead within the company’s network and create issues over time. These are particularly difficult to detect activities because the attackers are already inside the network compliments of the spear phishing email.

It is critical to have spear phishing protection because it is such a common and effective attack method employed by cyber criminals today. As we often suggest, tools like DMARC and employee training can help, but they let far too many emails through to do damage. You shouldn’t use your employees as a firewall against spear phishing attacks. Data show they are too easily fooled. You need an automated system to help protect employees and your organization.

Spear Phishing Attack Used to Plant Malware


The other thing we learn once again from the Wolf Creek attack is that spear phishing is often used to plant malware. Graphus just put out a report on ransomware which is a specific form of malware. Findings from that research showed that over 90% of spear phishing emails contain some form of malware as an attachment or include a malicious link to a site were malware will be downloaded to a machine. Many people don’t realize that the first line of defense against malware is to protect your organization from spear phishing.

Nuclear and Energy Are Not Alone

In reporting on the Times article Ars Technica was clear that this report reflected findings about a trend across a number of industries and not just a single event.

The attacks follow a much broader cyber-espionage campaign against critical infrastructure companies earlier this year. In April, DHS warned of ongoing cyber-attacks on the energy sector as a whole, as well as healthcare, information technology, telecommunications, and infrastructure industries. Those attacks used Red Leaves and other malware focused on stealing user credentials and providing a persistent backdoor to networks.

Security industry professionals often speak of the need for layered security protection. You need to protect your networks at the perimeter, have tools to identify attacks and intrusions and protect your endpoints for example. Few of these discussions mention business email compromise attack vectors such as spear phishing because they are not wholly about bits and bytes. Human factors and social engineering enable the attack to succeed and therefore are a different type of problem that cybersecurity engineers need to turn their attention to.

That is precisely why we need to focus more attention on areas like spear phishing. The malicious Microsoft Word documents mentioned above are harmless if the nuclear engineers don’t open the email and download the attachment. Graphus is designed to help identify that malicious email as spear phishing before these problems occur.