North Korean hackers have been targeting U.S. electric companies via spear-phishing attacks, as NBC’s Andrea Mitchell and Ken Dilanian reported this week.
Unfortunately, these utilities remain largely unprotected against the most common type of email attack.
ValiMail discovered that for the 96 largest U.S. electric companies, 93 are wide open to being impersonated by North Korean spear phishing emails. Same-domain impersonation is the most common form of phishing, and it’s also the most devious, because well-crafted emails with fraudulent From fields are difficult to detect by most traditional security tools.
There is a widely available technology standard capable of protecting companies from email impersonation: Domain-based Message Authentication, Reporting and Conformance, or DMARC for short.
DMARC is supported by 76% of the world’s email inboxes (and 100% of the major U.S. ISPs and email providers), meaning if a domain owner has published a DMARC policy, those inboxes will respect it.
With a DMARC enforcement policy, only senders who have been explicitly authorized by the domain owner will get into a recipient’s inbox.
Meanwhile, spear phishers posing as the company’s CEO, for example, will be rejected: Their messages will be deleted before delivery or sent to recipients’ spam folders, if the domain owner has set their DMARC policy accordingly.
U.S. electric companies are not taking advantage of this technology. Of the 96 such companies with revenues of $500 million or more:
- 79% have no DMARC record
- 18% have DMARC records but are not at enforcement
- Only 3% have DMARC at enforcement
Without DMARC at enforcement, these companies remain vulnerable to same-domain impersonations — the initial vector for nation-state hackers, but also for W-2 fraud, wire fraud, CEO/CFO scams, and most ransomware.
More than 75 percent of these utilities are using an older email authentication technology, Sender Policy Framework (SPF), and 63.5% have valid SPF records, which many organizations believe provides protection against phishing. However, phishers can and do use their own SPF records to make messages pass SPF, while still using a fraudulent From address — and as a result, SPF alone does not provide complete protection. To prevent fraud, SPF must be combined with a DMARC policy set to enforcement.
Spear phishing like this is not merely an annoyance. It is the primary vector by which cyberattacks of all kinds begin. Estimates vary, but some sources state that as many as 91 percent of cyberattacks begin with a phishing email.
Fortunately, according to the NBC report, none of the spear phishing emails directed at these electric companies were successful. And, it adds, in many ways the electric grid is more secure than many people give it credit for being.
“But not every part of the electric grid is equally well defended,” as NBC’s report states.
One of those less-well-defended parts: Utilities’ email systems.
Top photo: Francesco Pradella/Flickr