ESET is reporting that on December 23, 2015, about half of the 1.4 million residents of Ukraine’s Ivano-Frankivsk region were left without power as the result of a spearphishing attack being attributed to Russia.

Ukraine Utility

Ukraine Utility Prykarpattya Oblenergo

The attack on Prykarpattya Oblenergo was the classic spearphishing attack. The targeted individual received an email masquerading as from a trusted sender. In this case, the purported sender was the Ukrainian parliament. The email had an attachment. The attachment was crafted to induce the victim to enable scripts.  The scripts then compromised the victim’s system. It is important to focus on the user to understand how this attack worked.  The user had to make and implement three decisions:

  1. Decide the email should be opened
  2. Decide the attachment should be opened
  3. Decide to enable scripts

Manipulation of the user was essential for this attack to succeed.

Would training the user have helped?  The experts at Cys Centrum, the Ukrainian cyber security firm, observed that the purported sender, the subject, the message body and the attachment were all ordinary — there was nothing suspicious, everything was right. But, clearly, everything was not right and 700,000 people lost power.

Without SP Guard personnel receiving spearphishing emails are left to guesswork in determining if the email should be trusted. That guesswork is made in a decision space that is manipulated by the attacker. With SP Guard installed, IT is able to provide personnel with real-time identification of trusted senders.