A cyberespionage campaign has been discovered targeting industrial technology and renewable energy entities. The campaign has been active since 2019 and has so far targeted 15 entities around the world.
About the campaign
The campaign was spotted by a security researcher who also revealed that the attacker used a custom Mail Box toolkit. The toolkit is a phishing package that targets genuine websites to host phishing pages.
- The goal of the phishing campaign is to steal the login credentials of people working for environmental protection organizations, industrial technology, and renewable energy firms.
- Some of the targeted organizations include Schneider Electric, Honeywell, Huawei, HiSilicon, Telekom Romania, Taiwan Forestry Research Institute, CEZ Electro, Sorema, and more.
- Most of the phishing pages were discovered to be hosted on *[.]eu3[.]biz, *[.]eu3[.]org, and *[.]eu5[.]net domains. Whereas, most of the compromised sites are located at *[.]com[.]br (Brazil).
The researcher failed to obtain any samples of the phishing emails used in the attack. However, the researcher believes the emails used a ‘Your Mail Box storage is full’ as a lure.
Who is behind the attack?
The researcher has not linked this campaign to any particular actors, however, the evidence points to two clusters of activity, one is from APT28 and another one is from Konni (North Korea actors).
The Bulgaria connection
Along with multiple targeted entities, the researcher observed a small cluster of activity from 2019 associated with the same infrastructure targeting multiple banks based in Bulgaria.
- According to the researcher, the threat group is financially supported by actors interested in fossil fuels, particularly in dealing with Bulgaria. For example, someone selling energy to Bulgaria sees renewables as a threat.
- Additionally, the previous attack in 2019 targeting the Bulgarian banks is believed to be an attempt to collect intelligence on the construction and funding of new renewable energy centers.
Targeted energy renewable firms and other connected industries should be taking the right measures to protect themselves as APT groups tend to take a variety of approaches to penetrate their targeted networks. An in-depth security strategy review is also recommended to tackle such attacks.