Tracking A Renewable Energy Intelligence Gathering Campaign

-

 

For my first research blog of 2022, I analysed a suspected intelligence gathering campaign targeting renewable energy and industrial technology organisations, with a particular focus on Bulgaria. This long-running espionage campaign leveraged multiple credential harvesting pages to target the email accounts of employees at a number of organisations between 2019 and is ongoing in 2022. The attackers use the same 'Mail Box' phishing kit and host many of the pages on them infrastructure, supported by also compromising some legitimate websites.

This research was conducted using OSINT techniques such as query public sandbox submissions and passive DNS scan results. From this up to 40 individuals at target organisations from a variety of sectors were identified, but there was a focus on a few such as renewable energy, environmental protection organisations, and industrial technology. This research using OSINT alone is unable to acquire the full story, but hopefully can paint a picture of the motivation of the adversary behind this campaign.

Some of the targets include high-profile organisations such as operational technology (OT) and industrial control system (ICS) vendors like Schneider Electric and Honeywell, as well as Chinese telecommunications giant Huawei, semiconductor manufacturer HiSilicon, Telekom Romania, and US universities such as the University of Wisconsin, California State University, and Utah State University.

As mentioned above, one of the focuses of the campaign appeared to be renewable energy and environmental protection organisations. This includes the Kardzhali Hydroelectric Power Station (vec[.]nek[.]bg) and CEZ Electro (cez[.]bg), both located in Bulgaria, as well as the California Air Resources Board (arb[.]ca[.]gov), Morris County Municipal Utilities Authority (mcmua[.]com), the Taiwan Forestry Research Institute (tfri[.]gov[.]tw), the Carbon Disclosure Program (cdp[.]net), and Sorema, an Italian plastic recycling firm. There was also a small cluster of activty in 2019 linked to the same infrastructure targeting multiple banks in Bulgaria too.

Fig. 1 - 'Mail Box' phishing kit

Fig. 2 - Phishing pages for ICS/OT organisations

Fig. 3 - Phishing pages for Bulgarian energy companies

Fig. 4 - Phishing URLs targeting employees at energy and ICS/OT organisations

Fig. 5 - Phishing URLs targeting employees at government and NGO environmental organisations

Fig. 6 - Phishing URLs targeting employees at various banks, mostly from Bulgaria

Fig. 7 - Phishing URLs targeting members of staff at US universities

Analysis

This campaign was linked via its use of a custom 'Mail Box' phishing kit which simply collects the password of any user that visits it. The majority of the phishing pages have been hosted on *.eu3[.]biz, *.eu3[.]org, *.eu5[.]net hostnames (all owned by Zetta Hosting Solutions, AS44476). Some of the phishing pages were hosted on compromised websites, several of them located in Brazil (*.com[.]br). Many of the domains used by the adversary include phrases such as "update", "activate", or "support" and use the "-" multiple times.

The Mail Box phishing kit looks very generic and unsophisticated. The lures that lead to these credential harvesting pages were never recovered during this research. However, from visiting the second stage of the kit, the lures are likely using a generic "Your Mail Box storage is full" style phishing email. The landing page for this kit was always called "index.php" and the target's email address is appended to the end of the phishing URL.

Attribution

Two clusters of activity did overlap with some of the campaign artefacts. This includes campaigns attributed to two advanced persistent threat (APT) groups: APT28 (also known as FancyBear and attributed to the Russian GRU) and Konni (a group linked to the North Korean RGB). On 14 January 2022, Google TAG researchers disclosed several hostnames that use the same infrastructure as this campaign. The APT28 hostnames used to phish the credentials of users in Ukraine also used "eu3[.]biz" hostnames and Zetta Hosting Solutions (AS44476). It is currently unknown, however, whether the 'Mail Box' phishing kit was used and the domains lack the use of the "-" multiple times. On 3 January 2022, Cluster25 disclosed a Konni RAT campaign targeting Russian diplomats also using Zetta Hosting Solutions (AS44476) for command and control (C2) domains. However, the Konni RAT used "c1[.]biz" instead of the other main three hostnames that were observed in this campaign. Based on these links alone, however, it would not be sufficient to say this campaign is connected to either APT. [1, 2]

Attribution using these campaign artefacts and OSINT reports alone was not possible. However, it can be inferred that the adversary behind these attempts appears to be interested in Bulgaria, for starters, plus critical infrastructure, renewable energy, environmental protection agencies, and recycling technology. Supplemental targets such as ICS/OT organisations and educational institutions would compliment this intelligence gathering campaign, if access could be obtained at these entities. From this it could be suggested that the adversary behind this campaign is potentially a major source of fossil fuels and is doing research on the renewable energy sector as a threat to its income.

Indicators of Compromise (IOCs)

Type Indicator Context
Hostname activate-suport-up-date-142i[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname adm-up-da-te-x2020x89354[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname i197--activate-up-date[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname xt543-suport-up-date[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname 8xe3615-12-2019-up-date[.]eu3[.]org Hosts 'Mail Box' phishing kit
Hostname i131dere-up-date[.]eu3[.]biz Hosts 'Mail Box' phishing kit
Hostname jan-6543-up-date[.]eu3[.]biz Hosts 'Mail Box' phishing kit
Hostname x437-suport-up-dates[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname e541-suport-up-date[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname x914-suport-up-date[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname 4877-activate-up-date[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname active-up-date-xk89si[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname activate-suport-up-date-i754[.]eu3[.]biz Hosts 'Mail Box' phishing kit
Hostname activate-suport-up-date-i754[.]eu3[.]biz Hosts 'Mail Box' phishing kit
Hostname activate-suport-up-date-321i[.]eu3[.]biz Hosts 'Mail Box' phishing kit
Hostname adms-suport-up-datex8323[.]eu3[.]biz Hosts 'Mail Box' phishing kit
Hostname 05-2019-up-date[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname x07-2019-up-date[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname 08-2019-up-datex[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname 07-2019-up-datex[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname adms-up-date-2020[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname adm-up-date-2020x68293[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname 08-2019-up-da-tex[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname 06-2019-up-date1[.]eu5[.]net Hosts 'Mail Box' phishing kit
Hostname 04-2019-upd[.]eu5[.]net Hosts 'Mail Box' phishing kit
IPv4 185[.]176[.]43[.]106 Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4 185[.]176[.]43[.]90 Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4 185[.]176[.]43[.]98 Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4 185[.]176[.]43[.]96 Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4 185[.]176[.]43[.]94 Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4 185[.]176[.]43[.]80 Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4 185[.]176[.]43[.]84 Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4 185[.]176[.]43[.]82 Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4 185[.]176[.]43[.]80 Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
URL hxxp://saleswarriorinc[.]com/aba/login/index[.]php Compromised website to host 'Mail Box' phishing kit
URL hxxp://armaghanteb[.]com/bul/login/index[.]php Compromised website to host 'Mail Box' phishing kit
URL hxxp://quadteximagery[.]com/veri/login/index[.]php Compromised website to host 'Mail Box' phishing kit
URL hxxps://primage[.]com[.]br/aa/update/index[.]php Compromised website to host 'Mail Box' phishing kit
URL hxxps://alphabitconsulting[.]com/veri/login/index[.]php Compromised website to host 'Mail Box' phishing kit
URL hxxps://centralinsumos[.]com[.]bo/update/index[.]php Compromised website to host 'Mail Box' phishing kit
URL hxxps://pwametalurgica[.]com[.]br/bb/update/index[.]php Compromised website to host 'Mail Box' phishing kit
URL hxxps://cercoselectricos[.]cl/aa/update/index[.]php Compromised website to host 'Mail Box' phishing kit
URL hxxps://flammaautomoveis[.]com[.]br/bul/update/index[.]php Compromised website to host 'Mail Box' phishing kit
URL hxxp://englishlessons-houston[.]com/les/welcome/?user= Compromised website to host 'Mail Box' phishing kit
URL hxxp://saojoaodaurtigars[.]com[.]br/malaysia/login/?user= Compromised website to host 'Mail Box' phishing kit

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more