Private electric companies in the US were targeted by suspected North Korean hackers last month. Although no evidence was uncovered of the hackers having compromised industrial control systems, the phishing emails sent to targeted firms may be indicative of a possible disruptive attack in the future.
The phishing emails were sent out by the hackers on 22 September and were detected by security experts at FireEye, who believe that the campaign was likely an "early-stage reconnaissance" mission, and not a disruptive cyberattack aimed at crippling industrial control systems.
Benjamin Read, manager of cyber espionage analysis at FireEye told IBTimes UK that the firm attributed the attempted attack to the North Korean hacker group Lazarus. This is the same hacker group that international law enforcement authorities believe was responsible for the global WannaCry ransomware attacks earlier in the year. Lazarus' activities came into the spotlight after the infamous Sony hack. The group is also suspected to be behind multiple global attacks, targeting US defence contractors, international banks and more.
FireEye experts said that they have yet to observe North Korean hackers using any kind of specialised malware to "compromise or manipulate" industrial control systems. The researchers suspect that Pyongyang's state-backed hackers likely do not have access to such capabilities.
However, North Korean hackers have been suspected to have previously targeted rival South's power grids with wiper malware. More recently, Seoul accused North Korea of having hacked, stolen and leaked sensitive military secrets and Seoul-Washington war plans. These attacks are also indicative of Pyongyang's efforts to showcase deterrent capabilities.
It is still uncertain as to how many US energy firms were targeted by the hackers. According to Read, FireEye detected the phishing emails sent to at least one private energy firm. "We believe additional companies were also targeted, but we are not able to confirm how many," Read said.
"Thus far, the suspected North Korean actions are consistent with a desire to demonstrate a deterrent capability rather than a prelude to an unprovoked first-strike in cyberspace; however, North Korea linked actors are bold, have launched multiple cyber attacks designed to demonstrate national strength and resolve, and have little concern for potential discovery and attribution of their operations," FireEye researchers said in a blog.
"They likely remain committed to pursuing targets in the energy sector, especially in South Korea and among the U.S. and its allies, as a means of deterring potential war or sowing disorder during a time of armed conflict."
Following publication of this article, FireEye responded to our request for further information. This article has been updated to include comments from Benjamin Read, manager of cyber espionage analysis at FireEye.