Energy Company Exposed to Hackers by a Phishing Attack

Event Year: 2007 Reliability: Likely But Unconfirmed
Country: Unknown
Industry Type: Power and Utilities
Description:

An energy company hired Intreidus Group to investigate an attack that exposed the company to hackers.  The investigation revealed that the company was a victim of a phishing attack that resulted in outsiders gaining control of an employees computer.  The attackers gained a level of access that would have allowed them to control, view and modify everything related to the business.  An email sent to employees at an energy company was opened by one of the employees. 

The attack started with random administrative account being added in the internal network.  The primary domain controller in the system had been compromised.  The attack had originated inside the corporate network.  The machine resided on the same segment as the SCADA controllers were located.  The source of the breach was found to be a phishing attack. 

The phishing email contained information claiming to be about employee benefits.  An employee opened the email attachment unaware of the mcalicious .chm file attachment.  The opened attachment reached out to a server the the Asia-Pacific region and release a malicious executable that gave the attackers access to the employees computer.  The attackers used a Windows DNS (Domain Name System) vulnerability as an entry point to gain control of the employees account.

Intrepidus recommended the company re-architect the outbound filtering of Internet access and pt a proxy in place for Web browsing.  In addition, segregation was advised so that no workstations sharing a critical network segment should be connected to the Internet.

Impact:

The phishing attack lead to a compromise of the energy company network and access to its SCADA system.