Digital signatures used in the spear-phishing campaign against the natural gas industry are identical to those used in the RSA breach, according to a published report.
The spear-phishing attacks laying siege to networks in the natural gas pipeline industry apparently are being carried out by the same group that hacked RSA security last year, Mark Clayton reports in the Christian Science Monitor.
Two analyses, done independently, found that digital signatures — including IP addresses, domain names and file names — used in the pipeline attacks are identical to those used in the RSA breach, Clayton writes.
Security company Critical Intelligence first identified the link between the two attacks, and Red Tiger Security confirmed the information, according to the article.
The hack in March 2011 of RSA, the security division of EMC, stole information on the company’s SecurID authentication tokens, used by 35,000 government and corporate customers. The information was later used in an unsuccessful attack on government contractor Lockheed Martin. The source of the attack was reportedly was traced to China, along with attacks on hundreds of other organizations.
The phishing campaign targeting gas pipeline networks was discovered in March and dates back as far as December 2011, according to a public alert issued by the Industrial Control Systems Cyber Emergency Response Team.
The alert warned natural gas pipeline operators that spear-phishing attacks were targeting their networks and that some networks had already been compromised. And although it didn’t contain information on a possible source, the alert did say they were coming from a single organization.
"Analysis of the malware and artifacts associated with these cyberattacks has positively identified this activity as related to a single campaign," ICS-CERT said.
The alert said the spear-phishing attacks targeted a tightly focused group of people within the industry with e-mails that “have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization.”
Phishing attacks have become a favorite method of cyber criminals. They involve e-mails that appear to come from a trusted source — a company human resources department, the IRS or law enforcement agencies, for example — and attempt to lure people into giving up personal information or clicking a link to a malicious website.
Spear-phishing attacks are even more focused, sometimes adapted for individual users, and usually sent to someone with access to sensitive information.
"When industries are attacked like this, it usually is intellectual property that is sought," Liam O Murchu, manager of operations for Symantec Security Response, told GCN’s William Jackson. "There is no reason to believe anything else is happening here. It probably is another information-stealing attack."
Like the RSA hack, the campaign against the natural gas pipeline industry is being described as very sophisticated.
The attack against RSA was a methodical process that started by compromising the network of a company RSA did business with, RSA Executive Chairman Art Coviello said in January. Information gleaned from that attack was used in a spear-phishing campaign against RSA employees, which eventually netter information about the SecurID tokens.
RSA officials have said only that the complexity of the attacks led them to believe it came from a nation-state, but other reports have identified China as the source.
Information reportedly given in Congress in October 2011 identified more than 300 command-and-control networks used in the attacks, 299 of which were located in or around Beijing. That report also identified 760 other organizations that might have been hit in the same operation.
And in March, Army Gen. Keith Alexander, director of the National Security Agency and the U.S. Cyber Command, told the Senate Armed Services Committee that China was behind the RSA attack.