April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
ICS-CERT warns on utility web page info
Critical infrastructure providers should be careful about posting industry event and business contact information on their Web pages because that data has been used to customize “spear fishing” attacks aimed at the larger critical infrastructure community, said the U.S. critical infrastructure Cyber emergency team.
The latest issue of ICS-CERT Monitor—posted by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) on April 3 discusses an electronic attack last October on an electric utility’s Web site that was used to customize a larger assault against members of the energy sector. ICS-CERT didn’t name the utility.
In the incident, ICS-CERT said online attackers found employee names, company email addresses, company affiliations, and work titles on the electric company’s Web site on a page that listed the attendees at a recent committee meeting. The publicly-available information gave the attacker the company knowledge necessary to target specific individuals within the electric energy sector, it said.
According to ICS-CERT, the attackers created malicious emails that informed recipients of the sender’s new email address and asked them to click on an attached link. The link led to a site that contained malware. Another email with a malicious attachment may also have been associated with this campaign, it said.
ICS-CERT worked with the Electricity Sector Information Sharing and Analysis Center (ES-ISAC) to determine that 11 entities were targeted in the campaign, but added that “luckily no known infections or intrusions occurred.”
ICS-CERT warned that publicly-accessible information that is commonly found on social media, as well as professional organization and industry conference Web sites, is a recognized resource for attackers performing reconnaissance activities. “With this information, attackers can craft convincing spear phishing and have a higher likelihood of successfully convincing the targeted individual to click on the malicious link or attachment.”
It recommended minimizing business-related and personal information on social media Web sites. Business-related information could include job title, company email, organizational structure, and project names. If information exists on other Web sites, contact the Web site owner and ask that it be removed, it said.