Spear-Phishing Tactics Used in Recent Attempts on Nuclear Power Plants

Last week, media reports referenced an ongoing malicious email campaign targeting nuclear power facilities and other critical infrastructure sites throughout the United States and Europe. The Talos Group, an incident response and intelligence team within Cisco, released a detailed technical analysis of the tactics used to deliver the spear-phishing emails and the subsequent attempts to compromise user credentials of network operators. This email campaign involved attachments, such as a fake resume for a "Controls Engineer," in the form of Microsoft Word .docx attachments; however, the documents did not contain malicious VBA macros or other embedded scripts as Talos expected to find. Once opened, the document employs a tactic known as template injection and attempts to communicate with an external IP address to load a Word template. Instead of TCP 80, the connection is attempted to an external SMB server over TCP 445 which, if allowed, could result in an SMB authentication attempt and the compromise of encrypted credentials. The NJCCIC recommends users and administrators, particularly of industrial control systems, review the technical analysis and the IOCs provided by Cisco Talos to determine if malicious activity associated with this campaign was observed within your network. If detected, this activity should be given the highest priority for mitigation and reported to the NJCCIC as soon as possible.