Lessons on Spear Phishing Security Measures

This spring, a senior industrial control engineer at a United States energy facility received a malicious email that was carefully crafted to resemble a request from a job applicant. Attached to the email was a fake resume consisting of a malicious Microsoft Word Document. With just a click, the hackers could steal the engineer's network credentials and gain access to other machines within the facility.

This phishing attack was part of a coordinated effort to penetrate a US power plant, as reported by the New York Times and based on a joint report from the Department of Homeland Security and the FBI. Most experts believe these attacks were conducted by a nation-state against the US. According to the report, there is no evidence that the intruders were able to reach the most critical systems controlling power generation. However, it's possible that the hackers acquired knowledge such as engineering schematics or social engineering details that could facilitate further attacks against the plant itself.

Fortunately, the power generation control systems were protected by a deliberate lack of network connectivity between the administrative computers and operational plant control computers. This separation of networks, called an air gap, is a key aspect of security design. While an air gap can be crossed physically, for example by a person connecting a USB stick or a networked device to the protected network, it cannot be crossed by a remote intruder.

Presaging this breach was a more serious attack in the Ukraine that penetrated energy plants that lacked an effective air gap. In 2015, a number of power plants in the Ukraine were compromised, resulting in 230,000 people losing their electricity for an extended time. According to experts who have analyzed it, the Ukraine attack involved a large number of experienced specialists who planned an elaborate hacking operation over months.

Similar to the attack on US power plants, this campaign started with spear phishing attempts against Ukraine power plant employees. The phishing emails contained a Microsoft Word attachment that when clicked prompted the employee to enable macros, thus installing a malicious software program on the computer. After the hackers obtained network access, they were able to steal virtual private network (VPN) credentials that were intended for power plant workers to remotely log into the plant control systems. The VPN allowed the hackers to remotely access the plant control systems and bring down the entire power grid.

This hacking technique of using personally targeted emails is called spear phishing. It can be used to target people such as critical plant workers, IT administrators, or financial controllers who have access to critical systems that the hackers want to access. Incidents of spear phishing have sharply risen over the past several years and are responsible for many of the noteworthy hacking incidents in the news.

Any company with critical infrastructure to protect should examine their readiness for spear phishing campaigns. According to a recent survey by The National Center for the Middle Market, more than 90 percent of businesses think a cyber event would impact their bottom lines, and two-thirds feel it would be significant. But companies currently dedicate only six percent of their IT budgets to combat cyber risk.

Fortunately, it's possible to build a good defense against spear phishing without a large budget.

Below are some basic precautions to help secure against spear phishing:

•First, train employees to be careful of clicking on anything in an email. Sometimes the email links and attachments will be obvious and sometimes they will be cleverly hidden.  When in doubt, the link or attachment should be opened in an isolated environment where there is no danger of malicious software installation. Alternatively, the email sender should be contacted through phone or another means of communication to confirm their intention. For anyone who habitually deals with a full inbox, the additional effort of anti-phishing monitoring may seem burdensome. However, learning new behaviors is crucial for preventing an attack.

•If internal training isn’t a good option, there are commercial enterprise services for phishing prevention. These anti-phishing services will send employees random fake emails that emulate recent hacking incidents. These services also include a reporting capability to rank each person’s effectiveness in recognizing phishing attempts so that the least careful employees can be targeted with additional training.

•The most important aspect to phishing prevention is to focus training efforts on the people in the organization who have access to the most critical information. Likely victims of spear phishing include administrators of email systems, database managers, and customer service workers who have access to password information. Spear phishing often happens at the executive level, for example financial controllers are frequent targets. In the case of these employees, it’s important to create walls between their communication activity and their access to critical systems. One of the best ways to accomplish this this is by mandating the use of multi-factor authentication (MFA) for every employee with access to critical systems. However it may be equally effective to enforce human processes instead of IT solutions. For example, a CFO could consult a checklist to confirm the validity of recipients before fulfilling an invoice or sending out financial documents.

Since the trajectory of phishing attacks is only increasing, it’s time for every company and individual to take precautions. A few thoughtful countermeasures will go a long way toward increasing security.