Phishing Attacks in the Energy Industry

January 25, 2018 by Jennifer Jeffers


In the fall of 2017, hackers gained entry into the energy sector of both the U.S. and parts of Europe, targeting core systems in control of operations. This was successfully achieved through a malicious email campaign spoof known as phishing, which has been effective in compromising sensitive information of massive companies like Facebook and Google. This happens when employees and privileged individuals make the mistake of trusting communications from seemingly legitimate sources, when in fact they are links meant to redirect the user to platforms where their data is at risk. By clicking a link, signing into a fake website, or even offering sensitive financial details, people in even the most prestigious industries, such as energy, are falling prey to one of the oldest hacking tricks in the digital log.

This major cyberattack that began in late 2015—referred to as “Dragonfly 2.0”—was likely the work of a foreign government, as it bore the hallmarks of some well-known international exploits. Once this situation was discovered, the U.S. government warned industrial firms about phishing campaigns targeting the nuclear and energy sectors, alerting companies about recent efforts to harvest credentials on an operational level.

Why Phish Energy Industry?

Phishing expeditions in the energy industry are usually motivated more by the opportunity to create harm than by monetary gain. By definition, this sector relates to the production and furnishing of energy as well as the exploration and development of oil or gas reserves, including renewable energy and coal. Energy industries power the world and essentially dictate the quality of light and energy for the entire population. For these reasons, the field of energy is considered a power industry with massive influence over the public infrastructure and its livelihood. The objective of phisher-men in this sector is therefore to obtain the necessary credentials for accessing computer networks, power grids, energy generators, and other sensitive control areas.

Gaining access to or control of these private facets of the energy realm is highly appealing to outside governments who are looking to stage larger, more dramatic attacks using the data they find. If the influence and access of the energy sector were to fall heavily into the hands of a black hat, the amount of disruption and destruction available could be paralyzing to certain populations and would pose terrifying implications for those being targeted. In this way, using the data that attackers pull from these phishing-based reconnaissance missions provides them with the opportunity to penetrate systems that ultimately control some of the biggest energy distributors in the world.

When key energy sites are targeted through phishing, the larger utilities int that industry may lose the ability to control power in certain areas and affect outages for long periods of time. Many experts suggest that these types of attacks often go hand in hand with terrorist agendas looking to create havoc during times of darkness and internal chaos. These types of intentional “blackouts”—which can be initially achieved through one simple phishing link in a seemingly innocent email—mean attackers have gained full access to electricity grids and are gaining an even stronger foothold in networks they may plan to use later in devious ways. Although the immediate disruption is certainly a problem, it is the information gained through this dark period of experimentation that creates the most fear.

How Are Energy Industries Phished?

When the Department of Homeland Security and the Federal Bureau of Investigation (FBI) sent out a joint alert in 2017 about increased spear-phishing activities in the energy sector, this specific type of exploit came under closer examination. Like other email-spoofing attacks, spear-phishing seeks to access unauthorized information through misleading and fraudulent email communications. However, spear-phishing attempts are not typically initiated by random hackers, but rather by perpetrators out for financial gain, trade secrets, or military information using a specifically targeted formula—they are not random. Using the emails found in regular phishing expeditions, spear-phisher-men send messages that appear to come from a trusted source, a strategy that works particularly well in large, well-trafficked companies or websites with a wide range of users. Spear-phishing attacks tend to impersonate an individual within the recipient’s own company, likely someone of authority, whose message will not appear suspicious in any way.

According to Cisco’s Talos security division, spear-phishing attacks on the energy sector in 2017 appeared through a wave of emails disguised as people submitting resumes and job applications in the form of DOCX files. These files appeared so genuine during initial analysis that they almost fooled researchers into thinking all was well, as they did not have any macros or other exploits. It was only be accident that analysts noticed the status message in the loading screen of Microsoft Office was covertly loading a Word template from a remote server. This eventually revealed the malicious DOCX file was attempting to establish a connection to a remote SMB server, thereby tricking the local computer into disclosing the credentials for the local network. Although this trick is not particularly new, it still has the ability to seriously compromise an energy system.

Three Steps to Prevent Energy Phishing

Stay Aware!

Whereas ordinary phishing attacks broadly target others, spear-phishing efforts usually appear to be from a familiar person or business, therefore making them more exact and effective. They can contain information that makes them look and feel legitimate, but there are still visible clues to look for that can give them away. Just because the email communication bears the same institutional branding as another website does not mean it is official, so it’s important to examine these messages more closely. Although they are trickier to spot, spear-phishing attacks often contain simple errors like spelling mistakes, generic titles, and vague language that avoids personal references. The last sign and key indicator of a spear-phishing attack is the official-looking disguised link that leads the user to a malicious page. When the cursor is placed over the link, a pop-up box shows the link’s real address, which should be carefully observed.

Train Everyone!

The only way to effectively stop spear-phishing attacks is to train users to recognize, avoid, and report suspicious emails immediately. Everyone working within the energy sector must recognize their own role with the industry and the level of access they possess. These varying levels of privilege are essentially the currency of the information economy, as they dictate certain degrees of accessibility to sensitive data and platforms. Once all employees and clients understand the reality of their station, they are instantly more equipped to protect against attacks looking to take advantage of what they have, namely a ticket to ride the information highway.

Stay Current!

Security teams within the energy sector must work hard to implement, maintain, and update security technology and processes to prevent, detect, and respond to ever-changing spear-phishing threats. It is essential for experts in the sector to stay ahead of attackers by investing in updated threat intelligence and expertise to meet their unique needs. Education and awareness are the only strategies that can beat black hat phisher-men, so it is important to use all the tools available, including anti-spam and anti-virus software, professional consultations, and integrated security solutions that cover multiple threat vectors. InfoSec Institute offers training for staff members and counter-phishing efforts through PhishSim tools, tutorials, and advanced education, all of which are needed to formulate a complete system for fighting phishing threats.


When professionals in the energy industry use a combination of industry-leading technology, threat intelligence, and security expertise, they are able to identify key characteristics of the attack, such as which groups are likely targeting them; how they are being exploited; the ultimate goals of the cyber criminals; and the specific steps available to them to protect the organization’s assets, information, and security posture.

Posted: January 25, 2018
Jennifer Jeffers
View Profile

Jen Jeffers is a freelance writer who creates educational and historical content for the internet as well as InfoSec narratives for the deep web. Her work blends the creative with the factual to offer readers articles that are both entertaining and edifying. Although she has a strong aversion to mathematics, she is willing to research and learn about almost anything in the name of continuing education. Follow her blog The Raven Report, a history collection for the dark romantic at