Major industrial control system (ICS) vendors and other types of organizations have been targeted in a cyberespionage campaign that appears to focus on renewable energy. The campaign, which started in at least 2019 and is ongoing, was analyzed by William Thomas, security researcher at Curated Intelligence. While the findings are limited due to the analysis relying solely on OSINT techniques, they are nevertheless interesting. Using public sandbox submissions and passive DNS scans, Thomas identified tens of users apparently targeted in a phishing campaign that leveraged a basic “Mail Box” phishing kit to harvest usernames and passwords. The phishing pages are hosted on dedicated domains, as well as on compromised websites. Based on the targeted email addresses, the operation is aimed at the employees of organizations in various sectors, but the focus appears to be on renewable energy. Targets include employees of ICS vendors such as Honeywell and Schneider Electric, Chinese communications giant Huawei, and Chinese chipmaker HiSilicon. The phishing campaign was also aimed at several universities in the United States, including the University of Wisconsin, California State University, and Utah State University. Non-Governmental Organizations (NGO) and government organizations have also been targeted, including the California Air Resources Board, the Morris County Municipal Utilities Authority, the Taiwan Forestry Research Institute, and the Carbon Disclosure Program.
An organization does not need to be connected with the government or military to be targeted by advanced persistent threat (APT) groups for cyber espionage. It is very common for state sponsored APTs to target private businesses in sectors that it deems strategically important for a country, often related to technology. If your business would be of potential strategic interest, you may need to include intrusions by state sponsored APTs in your threat model when planning your defenses.