How a Phishing Attack Exposed an Energy Company to Hackers

The Intrepidus Group reveals some details behind a malware attack that exposed critical systems at an energy company. Using a Microsoft zero-day vulnerability and a bit of social engineering, hackers compromised a workstation and threatened critical SCADA systems, the security vendor says.

It began with an e-mail sent to an employee at an energy company, and ended with a security breach that exposed critical systems to outside control.

This is an-all-too common scenario, and just one example of the types of threats targeting not only critical infrastructure but organizations generally. The attack referred to above happened at the site of an energy company that Intrepidus Group is keeping anonymous. In a discussion with eWEEK, however, the security vendor outlined just how a malware attack broke into a critical network.

The attack began to unravel April 3, 2007. That's when a fraudulent user account-complete with administrative privileges-was detected by the energy company. At that point, Intrepidus Group was called in to try to uncover what exactly had happened. Working backward, the company traced everything back to a little bit of social engineering.

"What started off as a very strange attack where people couldn't understand why these random administrative accounts were being added in the internal network ended up being two and a half days later us realizing the primary domain controller in the system-which is the keys to the system, really, with all the passwords and user accounts-had been compromised with this zero-day attack," said Intrepidus Group CEO Rohyt Belani. "But the big thing that set off alarms ... was that the attack had originated not from the outside big, bad world, but ... from another machine inside their corporate network."

The machine sat on the same segment where the SCADA (Supervisory Control And Data Acquisition) controllers were. Soon, evidence appeared that the attackers had leapfrogged off this network and broken into the domain controller, Belani explained. After backtracking even further, the investigation determined the source of the breach-a relatively simple phishing attack.

The phishing e-mail contained a pitch for a new health care plan, something that caught an employee's eye. The e-mail claimed to be about benefits for a family with two or more children, and the employee had three. The message also contained a malicious .chm file attachment.

When the employee opened the attachment, it reached out to a server in the Asia-Pacific region and pulled out a malicious executable that gave the attackers a foothold on the employee's machine, Belani said.

The attack took advantage of MS07-029, a Windows DNS (Domain Name System) vulnerability that at the time was unpatched. Using the vulnerability as an entry point, the attackers ended up with control of the employee's account.

"The attacker had a problem; he got system-level access via an unpublished zero-day exploit," said Aaron Higbee, CTO of Intrepidus Group. "But attackers need to maintain access and are worried about their initial exploits either causing instability with the system or the system getting patched. This is why they created the [other] account ... with domain admin access."

With the level of access they gained, the attackers could potentially control, view and modify everything related to the business, Higbee said.

In the aftermath of the attack, Intrepidus advised the company to make some changes to its security strategy. For starters, the company was advised to re-architect the outbound filtering of Internet access and put a proxy in place for Web browsing to ensure that employees aren't reaching out to seemingly random sites. More critical is the subject of segregation. No workstation sharing a critical network segment should be connected to the Internet, Belani said.

"It should be segmented away from the sensitive SCADA controllers," he said.