A large-scale cyber espionage campaign primarily targeting renewable energy and industrial technology organizations has been discovered to have been active since at least 2019, targeting more than fifteen entities worldwide.
The campaign was discovered by a security researcher William Thomas, a member of the Curated Intelligence trust group, which used OSINT (open source intelligence) techniques such as DNS scans and public sandbox submissions.
Thomas’s analysis revealed that the attacker uses a custom “Mail Box” toolkit, a low-tech phishing package deployed on the actors’ infrastructure, as well as compromised legitimate websites to host phishing pages.
Most of the phishing pages were hosted on “*.eu3[.]us”, “*.eu3[.]org” and “*.eu5[.]net”, while the majority of compromised sites are located in Brazil (“*.com[.]br”).
Targeting the renewable energy sector
The goal of the phishing campaign is to steal the login credentials of those who work for renewable energy companies, environmental organizations, and industrial technology in general.
Examples of organizations targeted by phishing attacks include:
- Schneider-Electric
- Honeywell
- Huawei
- HiSilicon
- Telekom Romania
- University of Wisconsin
- California State University
- Utah State University
- Kardjali hydroelectric power station (Bulgaria)
- CEZ Electro (Bulgaria)
- California Air Resources Council
- Morris County Municipal Utilities Authority
- Taiwan Forest Research Institute
- Carbon Disclosure Program
- Sorema (Italian recycling company)
Source: blog.bushidotoken.net
The researcher was unable to retrieve any samples of the phishing emails used in the campaign, but Thomas believes the emails used a “Your mailbox is full” decoy based on the landing pages.
Unknown actor
Thomas could not attribute this campaign to specific actors, but the evidence points to two groups of activity, one from APT28 (aka FancyBear) and the other from Konni (North Korean actors).
Google Threat Analysis Group researchers recently uncovered phishing activity attributed to APT28, which uses multiple “eu3[.]”biz” domains.
Since mid-December, @Google TAG has detected ongoing APT28 credit phishing campaigns targeting Ukraine. Some CIOs:
consumerpanel.eu3[.]business
consumerpanel.eu3[.]org
consumerspanelsrv.eu3[.]org
protectpanel.eu3[.]business
updateservicecenter.blogspot[.]with— Billy Leonard (@billyleonard) January 14, 2022
A point of overlap for the two groups is that the hostnames used for phishing credentials belong to Zetta Hosting Solutions, a name that has appeared in numerous analyst reports recently.
“Konni” Used Zetta Hosting Solution Domains in Diplomat Targeting Campaign Uncovered by Cluster25, as well as in a T406 campaign (Korean hackers) analyzed by point of proof.
Thomas told BleepingComputer that many APT hacking groups use Zetta in malicious campaigns.
“Zetta is used a lot by APTs and malware, and I’d be very surprised if they didn’t know about it. It’s not a big company. Threat actors also like these types of name services. free hosts where they can set up infrastructure quickly, freely and anonymously.” -Thomas.
However, the researcher pointed out that he has no evidence or concrete evidence that Zetta Hosting knowingly helps malicious campaigns.
Focus on Bulgaria and potential motive
Besides the two entities mentioned in the victimology section above, the researcher noticed a small cluster of activity from 2019 linked to the same infrastructure targeting several Bulgarian banks.
Source: blog.bushidotoken.net
The researcher believes that the adversary is financially supported by entities interested in fossil fuels, in particular an energy seller to Bulgaria who sees renewable energies as a threat.
Previous targeting of banks may be an attempt to gather intelligence on financing and construction new renewable energy installations.
APT28 is a Russian state-linked group, and Bulgaria is known to import significant quantities of Russian natural gas, so the link between this campaign and the particular actors has a logical basis, even if it is not proven at this stage.
