Tracking a Renewable Energy Data Collection Campaign

For my first research blog of 2022, I analysed a suspected intelligence gathering campaign targeting renewable energy and industrial technology organisations, with a particular focus on Bulgaria. This long-running espionage campaign leveraged multiple credential harvesting pages to target the email accounts of employees at a number of organisations between 2019 and is ongoing in 2022. The attackers use the same ‘Mail Box’ phishing kit and host many of the pages on them infrastructure, supported by also compromising some legitimate websites.

This research was conducted using OSINT techniques such as query public sandbox submissions and passive DNS scan results. From this up to 40 individuals at target organisations from a variety of sectors were identified, but there was a focus on a few such as renewable energy, environmental protection organisations, and industrial technology. This research using OSINT alone is unable to acquire the full story, but hopefully can paint a picture of the motivation of the adversary behind this campaign.

Some of the targets include high-profile organisations such as operational technology (OT) and industrial control system (ICS) vendors like Schneider Electric and Honeywell, as well as Chinese telecommunications giant Huawei, semiconductor manufacturer HiSilicon, Telekom Romania, and US universities such as the University of Wisconsin, California State University, and Utah State University.

As mentioned above, one of the focuses of the campaign appeared to be renewable energy and environmental protection organisations. This includes the Kardzhali Hydroelectric Power Station (vec[.]nek[.]bg) and CEZ Electro (cez[.]bg), both located in Bulgaria, as well as the California Air Resources Board (arb[.]ca[.]gov), Morris County Municipal Utilities Authority (mcmua[.]com), the Taiwan Forestry Research Institute (tfri[.]gov[.]tw), the Carbon Disclosure Program (cdp[.]net), and Sorema, an Italian plastic recycling firm. There was also a small cluster of activty in 2019 linked to the same infrastructure targeting multiple banks in Bulgaria too.

Fig. 1 – ‘Mail Box’ phishing kit

Fig. 2 – Phishing pages for ICS/OT organisations

Fig. 3 – Phishing pages for Bulgarian energy companies

Fig. 4 – Phishing URLs targeting employees at energy and ICS/OT organisations

Fig. 5 – Phishing URLs targeting employees at government and NGO environmental organisations

Fig. 6 – Phishing URLs targeting employees at various banks, mostly from Bulgaria

Fig. 7 – Phishing URLs targeting members of staff at US universities

Analysis

This campaign was linked via its use of a custom ‘Mail Box’ phishing kit which simply collects the password of any user that visits it. The majority of the phishing pages have been hosted on *.eu3[.]biz, *.eu3[.]org, *.eu5[.]net hostnames (all owned by Zetta Hosting Solutions, AS44476). Some of the phishing pages were hosted on compromised websites, several of them located in Brazil (*.com[.]br). Many of the domains used by the adversary include phrases such as “update”, “activate”, or “support” and use the “-” multiple times.

The Mail Box phishing kit looks very generic and unsophisticated. The lures that lead to these credential harvesting pages were never recovered during this research. However, from visiting the second stage of the kit, the lures are likely using a generic “Your Mail Box storage is full” style phishing email. The landing page for this kit was always called “index.php” and the target’s email address is appended to the end of the phishing URL.

Attribution

Two clusters of activity did overlap with some of the campaign artefacts. This includes campaigns attributed to two advanced persistent threat (APT) groups: APT28 (also known as FancyBear and attributed to the Russian GRU) and Konni (a group linked to the North Korean RGB). On 14 January 2022, Google TAG researchers disclosed several hostnames that use the same infrastructure as this campaign. The APT28 hostnames used to phish the credentials of users in Ukraine also used “eu3[.]biz” hostnames and Zetta Hosting Solutions (AS44476). It is currently unknown, however, whether the ‘Mail Box’ phishing kit was used and the domains lack the use of the “-” multiple times. On 3 January 2022, Cluster25 disclosed a Konni RAT campaign targeting Russian diplomats also using Zetta Hosting Solutions (AS44476) for command and control (C2) domains. However, the Konni RAT used “c1[.]biz” instead of the other main three hostnames that were observed in this campaign. Based on these links alone, however, it would not be sufficient to say this campaign is connected to either APT. [12]

Attribution using these campaign artefacts and OSINT reports alone was not possible. However, it can be inferred that the adversary behind these attempts appears to be interested in Bulgaria, for starters, plus critical infrastructure, renewable energy, environmental protection agencies, and recycling technology. Supplemental targets such as ICS/OT organisations and educational institutions would compliment this intelligence gathering campaign, if access could be obtained at these entities. From this it could be suggested that the adversary behind this campaign is potentially a major source of fossil fuels and is doing research on the renewable energy sector as a threat to its income.

Indicators of Compromise (IOCs)

TypeIndicatorContext
Hostnameactivate-suport-up-date-142i[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnameadm-up-da-te-x2020x89354[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnamei197–activate-up-date[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnamext543-suport-up-date[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostname8xe3615-12-2019-up-date[.]eu3[.]orgHosts ‘Mail Box’ phishing kit
Hostnamei131dere-up-date[.]eu3[.]bizHosts ‘Mail Box’ phishing kit
Hostnamejan-6543-up-date[.]eu3[.]bizHosts ‘Mail Box’ phishing kit
Hostnamex437-suport-up-dates[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnamee541-suport-up-date[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnamex914-suport-up-date[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostname4877-activate-up-date[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnameactive-up-date-xk89si[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnameactivate-suport-up-date-i754[.]eu3[.]bizHosts ‘Mail Box’ phishing kit
Hostnameactivate-suport-up-date-i754[.]eu3[.]bizHosts ‘Mail Box’ phishing kit
Hostnameactivate-suport-up-date-321i[.]eu3[.]bizHosts ‘Mail Box’ phishing kit
Hostnameadms-suport-up-datex8323[.]eu3[.]bizHosts ‘Mail Box’ phishing kit
Hostname05-2019-up-date[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnamex07-2019-up-date[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostname08-2019-up-datex[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostname07-2019-up-datex[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnameadms-up-date-2020[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostnameadm-up-date-2020×68293[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostname08-2019-up-da-tex[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostname06-2019-up-date1[.]eu5[.]netHosts ‘Mail Box’ phishing kit
Hostname04-2019-upd[.]eu5[.]netHosts ‘Mail Box’ phishing kit
IPv4185[.]176[.]43[.]106Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4185[.]176[.]43[.]90Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4185[.]176[.]43[.]98Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4185[.]176[.]43[.]96Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4185[.]176[.]43[.]94Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4185[.]176[.]43[.]80Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4185[.]176[.]43[.]84Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4185[.]176[.]43[.]82Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
IPv4185[.]176[.]43[.]80Hosts *.eu3[.]biz *.eu3[.]org *.eu5[.]net pages
URLhxxp://saleswarriorinc[.]com/aba/login/index[.]phpCompromised website to host ‘Mail Box’ phishing kit
URLhxxp://armaghanteb[.]com/bul/login/index[.]phpCompromised website to host ‘Mail Box’ phishing kit
URLhxxp://quadteximagery[.]com/veri/login/index[.]phpCompromised website to host ‘Mail Box’ phishing kit
URLhxxps://primage[.]com[.]br/aa/update/index[.]phpCompromised website to host ‘Mail Box’ phishing kit
URLhxxps://alphabitconsulting[.]com/veri/login/index[.]phpCompromised website to host ‘Mail Box’ phishing kit
URLhxxps://centralinsumos[.]com[.]bo/update/index[.]phpCompromised website to host ‘Mail Box’ phishing kit
URLhxxps://pwametalurgica[.]com[.]br/bb/update/index[.]phpCompromised website to host ‘Mail Box’ phishing kit
URLhxxps://cercoselectricos[.]cl/aa/update/index[.]phpCompromised website to host ‘Mail Box’ phishing kit
URLhxxps://flammaautomoveis[.]com[.]br/bul/update/index[.]phpCompromised website to host ‘Mail Box’ phishing kit
URLhxxp://englishlessons-houston[.]com/les/welcome/?user=Compromised website to host ‘Mail Box’ phishing kit
URLhxxp://saojoaodaurtigars[.]com[.]br/malaysia/login/?user=Compromised website to host ‘Mail Box’ phishing kit