Why Phish the Chemical Industry?
Generally, the cybercriminal’s aim of conducting a phishing attack is purely monetary, whatever method they use. From this goal, several realistic scenarios can be imagined. For instance, as in any other industry, a phishing email can be the way the hacker uses to steal bank account information, electronic account credentials, social security ID, credit/debit card information, or any other sensitive information about individuals. This gives the hacker the possibility to make a direct financial profit. At the organizational level, the phisher may get access to strategic information for the business, exposing the company’s business plan to competitors. More specifically, cybercriminals may steal patented chemical formulas, which, once sold in the black market, can give birth to similar products with cheaper prices. Another scenario is when the hacker gets access to an unpatented chemical formula which he can exploit himself or sell at very high prices. Yet another reason why the chemical industry is hacked is political. One example is the joint US and Israeli attack of 2012 to stop nuclear development in Iran.
How Are Chemical Companies Phished?
One concrete example of phishing attacks in the chemical industry is what is known as the “Nitro” phishing attack. This attack happened in 2011 and targeted over 50 companies in the chemical and defence sector located primarily in the US, UK and Bangladesh. It lasted at least 3 months and aimed at stealing research and development information as well as manufacturing information to these companies. About 100 computers belonging primarily to US and UK companies were compromised by a backdoor trojan. According to security experts, the attack seemed to be launched from an IP address based in China by a Chinese speaker, although it was unclear if it was conducted by an individual or a group of cybercriminals. Similar attack details were also used earlier in other sectors, including the non-profit and the motor industry. Nitro was a spear-phishing attack, which means that emails sent were highly personalized and a lot of details were taken into account while creating them to target specific individuals. Victims received emails about fictive security updates for the most general type and invitations from business partners for the most specific type. To these emails were attached executables which were protected or not with passwords (figure 1). When needed, the passwords were provided in the email body. By opening the email and downloading the executable file, the victims launched without being aware of it the trojan PoisonIvy, which was automatically installed in their computers and compromised them. By accessing one of the computers, hackers were able to access more computers in the hacked companies’ network. That way, they could collect as much sensitive information as possible from these companies, including intellectual properties, formulas and manufacturing details.
Figure 1: phishing message about security updates A recent example from 2016 shows that even big companies like LG Chem fall for even the most basic phishing tricks, which can cost such companies a lot of money. The company received a fake email from one of its partners, Aramco Products Trading Co., notifying LG Chem about the changes in the bank account for transactions between the two companies and providing the company with the new account to which payment should be made. LG Chem ended up sending 24 billion won, the equivalent of $21.1 million USD, without ever considering the authenticity of the email.
Finance managers can receive dozens of invoice requests per day. If not watching closely, your busy employees could walk right into a phishing scam. PhishSim can help. Another example shows that hackers, despite having only a basic knowledge of coding, can succeed in their attacks. An attack known as the “wire-wire” attack, led by Nigerian hackers, was targeting managers in different industries, including the chemical sector, by not only sending emails but most importantly ordering wire transfers. That is how the hackers interfered between one chemical company from US and its business partner from India and stole $400,000. They first hacked an email account of the Indian company, changed an invoice as well as bank account information to their own, and sent it to the US company, which fell into the trap, thinking the payment was from its stakeholder.
Three Strategies for Preventing Phishing the Chemical Industry
With the increase of phishing attacks, it becomes of utmost importance that businesses take this seriously and plan adequate procedures to mitigate the related risks. The core components of corporate phishing prevention strategy are:
Education
Employees in different business positions are in the first line of vulnerability when it comes to phishing attacks. They use email every day, and being overwhelmed by work may lead them to open malicious emails and attachments without being suspicious of their origin. This may happen even if the victim already knows about the concept of phishing. Therefore, they have to be continually aware and careful to safeguard their own information and the information of the company they work for while using computers and emails. For that, InfoSec Institute designed a tool that helps you raise awareness among your employees in a smart, quick and funny way. This tool is AwareEd, the first component of our Infosec IQ program. AwareEd is simple to use for you as an educator, and for your employees as students. You can plan content adapted to whom you target, according to their skills and position. Your employees can learn without getting bored, as AwareEd proposes videos and interactive content that involves them as active participants. AwareEd gives you also the possibility to see how much your employees move forward in their learning and assess their knowledge, making this component of our information security program cost-effective on its own.
Check out AwareEd’s dozens of self-directed tutorials, and make sure your staff watches them as well!
Practice
For an optimal effectiveness, take advantage of PhishSim, the second component of Infosec IQ. The program was designed to make your employees practice what they learned with AwareEd through specific phishing emails. Indeed, the tool allows you to create tailored phishing emails and campaigns that you have the possibility to launch anytime and for any duration. You can create a highly specific email asking the business operations manager to send you confidential documents about a patented product or just a general email to a group of employees asking them to update their bank account information for a future salary transfer. You also have the option to customize phishing campaigns, such as sending a series of emails to one receiver over a 3 month period. In all cases, the tricked employees who open the fake emails are redirected to a video explaining that they were fake-phished and giving them tips on how to avoid the real thing in future. Just make sure to surprise your employees with the phishing campaign and not reveal anything beforehand so that the learning components are more effective. PhishSim and AwareEd are not only complementary but also non-linear. You can start with any of them and follow the awareness campaign with the other. For instance, if you do not know the awareness level of your employees about phishing, you can send a “fake” phishing email and make the employees who are lured take the AwareEd course. Depending on your needs, you can also require all your employees to first follow the course, then assess their knowledge through the PhiSim campaign.
Reporting
Besides continuously educating your employees, it is important to put in place an internal reporting system that the employees use to communicate potential phishing attacks and an external reporting procedure to complain to the appropriate authorities when an actual phishing attack or campaign is launched against the company. This way, the risk is mitigated, and damages avoided and limited.
Conclusion
The chemical industry contains specific information such as formulas and manufacturing processes that are of high interest for hackers and that are secretly kept internally. Therefore, such companies should protect themselves against the growing number of phishing attacks aiming at stealing this kind of information particularly and any other sensitive information generally. AwareEd and PhishSim are strong tools which can prevent employees to be victims of phishing. When coupled with adequate reporting, phishing attack impacts can be limited and damages avoided.
References
https://www.emailtray.com/blog/email-phishing-activity-over-time-2004-2012-in-figures/ https://www.businesswire.com/news/home/20170227006461/en/2016-Exceeds-Records-Numbers-Phishing-Attacks https://www.fireeye.com/blog/executive-perspective/2016/04/cyber_attacks_agains.html https://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html?utm_term=.76bb74a16053 https://arstechnica.com/information-technology/2011/11/nitro-spear-phishers-attacked-chemical-and-defense-company-rd/ https://www.helpnetsecurity.com/2011/11/01/nearly-50-chemical-defense-companies-hit-with-cyber-espionage-attacks/ http://www.koreaherald.com/view.php?ud=20160429000909 https://threatpost.com/researchers-go-inside-a-business-email-compromise-scam/119576/