Phishing attacks targeting the Polish energy sector were identified, utilizing open-source tools for credential harvesting. Domains were set up to impersonate government and energy organizations, raising concerns about planned phishing campaigns. The configuration indicates readiness for future attacks.
Affected: Polish energy sector, government organizations
Affected: Polish energy sector, government organizations
Keypoints :
- Phishing remains a primary entry point in both targeted and opportunistic attacks.
- Domains spoofing Polish energy organizations were discovered during a review of C2-related data.
- Infrastructure associated with these domains was linked to credential harvesting activities.
- HuntSQL™ queries identified suspicious hostnames related to phishing infrastructure.
- GoPhish framework was used in the observed phishing campaigns.
- Domains involved included reputable firms from the energy sector and recognizable brands.
- While no active phishing content was found, evidence suggests continued maintenance for future use.
- Recommendations include monitoring domain registrations and tracking certificate logs for potential threats.
MITRE Techniques :
- T1071 – Application Layer Protocol: Use of HTTP/HTTPS for phishing campaigns.
- T1529 – Access Token Manipulation: Leveraging GoPhish framework for credential harvesting activities.
- T1056 – Input Data Manipulation: Crafting legitimate-looking domains to harvest user credentials.
Indicator of Compromise :
- [Domain] uregov[.]pl
- [Domain] nomad-electric[.]com
- [Domain] nomadelectri[.]com
- [IP Address] 40.67.208[.]154
- [Domain] mercedes-portal[.]pl
Full Story: https://hunt.io/blog/gophish-targets-polish-energy-government