A cyberespionage campaign targeting industrial technology and renewable energy companies has been discovered. Since 2019, the campaign has been active and so far targeted 15 entities all across the world.
A security researcher spotted the campaign and revealed that the attacker used a bespoke Mail Box toolset. The toolkit is a phishing package that targets genuine websites to host phishing pages.
The phishing campaign’s purpose is to steal login credentials from persons who work for environmental organisations, industrial technology, and renewable energy companies.
Schneider Electric, Honeywell, Huawei, HiSilicon, Telekom Romania, Taiwan Forestry Research Institute, CEZ Electro, Sorema, and others are among the targeted organizations.
The majority of the phishing pages were found to be hosted on the domains *[.]eu3[.]biz, *[.]eu3[.]org, and *[.]eu5[.]net. However, the majority of the infected sites are located at *[.]com[.]br (Brazil).
The researcher was unable to obtain any samples of the phishing emails used in the attack. However, the researcher believes the emails were used a ‘Your Mail Box storage is full’ as a lure.
Although the researcher has not linked this campaign to any specific actors, evidence leads to two clusters of activity, one from APT28 and the other from Konni (North Korea actors).
Along with many targeted entities, the researcher observed a small cluster of activity dating back to 2019 that was linked to the same infrastructure and targeted multiple Bulgarian banks.
According to the researcher, the threat group is financially supported by actors interested in fossil fuels, notably in dealing with Bulgaria. Someone selling energy to Bulgaria, for example, sees renewables as a threat.
Furthermore, the earlier attack on Bulgarian banks in 2019 was believed to be an attempt to collect intelligence on the construction and funding of new renewable energy centres.
Targeted energy renewable firms and other related industries should take the necessary precautions to protect themselves as APT groups use a number of methods to penetrate their targeted networks. To combat such threats, an in-depth security strategy review is recommended.