A large-scale cyberespionage campaign targeting industrial technology and renewable energy organizations has been active since 2019.
William Thomas, a security researcher, discovered the campaign using OSINT (open-source intelligence) techniques, such as DNS scans and sandbox submissions. The attacker uses a custom Mail Box toolkit to send phishing emails and compromised legitimate websites for hosting phishing pages. The phishing pages were hosted on various domain names, such as “*.eu3[.]biz” and “*.eu5[.]net” with the majority being the Brazilian domain “.com[.]br.”
The campaign’s goal was to steal the credentials of employees working for industrial technology firms, especially environmental organizations and renewable energy companies.
Organizations targeted by the phishing attacks include:
Schneider Electric, Honeywell, Huawei, HiSilicon, Telekom Romania, University of Wisconsin, California State University, Utah State University, Kardzhali Hydroelectric Power Station (Bulgaria), CEZ Electro (Bulgaria), California Air Resources Board, Morris County Municipal Utilities Authority, Taiwan Forestry Research Institute, Carbon Disclosure Program, and Sorema (Italian recycling company).
The researcher could not get any emails used in the campaign, but he believed that emails used “Your Mail Box storage is full” messages that lured victims to the landing pages.
Thomas could not attribute the campaign to a specific actor, though evidence suggests that the attackers were from two groups: North Korea and APT28, which is a Russian state-sponsored group.
Google Threat Analysis Group has recently reported phishing activity originating from APT28, which used the same .eu3[.]biz domains.
Both groups are believed to have been using Zetta Hosting Solutions, a company that owns the domains noticed lately in several phishing campaigns. Thus, the campaign operated by “Konni” used Zetta Hosting Solution domains and was targeted at organizations that deal with diplomacy. Another group, known as “T406”, targeted Korean hackers and was reported on by Proofpoint.
Thomas explained to BleepingComputer that many APTs use Zetta; however, there is no evidence that Zetta is helping those malicious actors.
“Zetta is used a lot by APTs and malware, and I’d be very surprised if they didn’t know. They’re not a huge company. Threat actors also like these types of free hostname services where they can setup infrastructure quickly, freely, and anonymously,” said Thomas.
Zetta Hosting Solutions is also used by groups that targeted banks in Bulgaria. The researcher noticed a cluster of activity that originated from 2019 using the same infrastructure.
The researcher believes that the attack was financially supported by individuals who are interested in fossil fuels and against the environmentally-friendly green energy. This financial support may come from someone who is selling energy to Bulgaria and sees renewables as a threat.
Since it was targeted at organizations that deal with green energy, it makes sense for the researcher to link the campaign to the state. And since APT28 is a Russian group and Bulgaria is imports significant amounts of Russian natural gas, the link between this campaign and Russia does have a logical basis.