17 US utility firms targeted by mysterious state-sponsored group

US utility providers targeted with spear-phishing emails that try to install the LookBack remote access trojan.
Written by Catalin Cimpanu, Contributor on

A mysterious state-sponsored hacking group has targeted at least 17 US utility firms with phishing emails for a five-month period between April 5 and August 29, Proofpoint reported today.

The purpose of these attacks was to infect employees at US utility firms with LookBack, a remote access trojan with an extensive set of features.

While no formal attribution has been made, the attacks are believed to be the work of Chinese hackers, and more precisely, the work of a group tracked as APT10, based on some pieces of reused code.

Larger campaign than previously thought

The Proofpoint report published today is an expansion on a previous report the company published on August 2, earlier this year. Back then, Proofpoint reported on spear-phishing emails sent to three US utility firms between July 19 and July 25, 2019.

Today, Proofpoint reported that the initial attacks were more widespread than initially believed, and expanded the number of targeted organizations from three to 17, along with the campaign's lifetime, which appears to have started much earlier.

Put in situations where cyber-security firms expose their operations, most nation-state hacker groups tend to retreat, knowing that their targets have been informed about their modus operandi, and are less likely to fall for spear-phishing attacks.

However, in an interview with ZDNet today, Sherrod DeGrippo, Senior Director for Threat Research and Detection team at Proofpoint, told us that the group behind these attacks on US utility providers continued to operate, undisturbed by Proofpoint's first report.

"The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset, turning instead to updated lures with new impersonation tactics and enhanced obfuscation," DeGrippo told us.

Targeting utility providers from the energy sector

But the changes attackers made weren't even that extensive. They simply started sending emails posing as exam failures for Global Energy Certification (GEC) certifications, rather than US National Council of Examiners for Engineering and Surveying (NCEES) exams, the email subject line/lure they used in the attacks initially.

By the theme of these spear-phishing lures, it is pretty evident that attackers are targeting US utility providers from the US energy sector, such as operators of power grid infrastructure, nuclear plants, wind farms, coal plants, and others.

DeGrippo told ZDNet that the spear-phishing attacks didn't target any particular energy sector, but "represent[ed] interests across a range of utility providers."

"These were sophisticated spear-phishing attacks, credibly impersonating an industry licensing association and targeted at people who would be familiar with the impersonated organization," DeGrippo told ZDNet.

Final payload was a pretty advanced malware strain

Besides using domain names that mimicked GEC and NCEES as closely as possible, the spear-phishing emails also sometimes mixed legitimate documents with malicious ones, in an attempt to fool victims they were receiving legitimate email communications.

However, if victims allowed the macro script embedded in the Word DOC files, then the embedded VBA script would download and install the LookBack malware.

As detailed in the August report, this is a new malware strain, and one with very potent features that would have granted an attacker a backdoor into a victim's computer.

According to Proofpoint, the "LookBack malware is a remote access Trojan written in C++ that relies on a proxy communication tool to relay data from the infected host to a command and control IP.

"Its capabilities include an enumeration of services; viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host."

DeGrippo told ZDNet that Proofpoint blocked the spear-phishing attacks launched against the networks of its customers; however, they couldn't say if hackers weren't successful in infecting other utility providers with the LookBack malware.

SMB scans preceded spear-phishing attacks

Furthermore, while looking closely into the more recent attacks, DeGrippo's team also discovered that prior to launching the spear-phishing attacks, the hackers behind this campaign also scanned the targeted organization's network for open SMB protocol ports (port 445).

These SMB scans usually took place up to two weeks before the spear-phishing campaign started hitting a utility provider's employees.

The connection between these scans and the later spear-phishing campaign is pretty clear, as "observed scanning IPs in some instances have also hosted phishing domains prior to their use in phishing campaigns," Proofpoint said.

"We can only speculate on the actor's particular choice of tools and protocols," DeGrippo told ZDNet. "However, scanning using this protocol does potentially help identify vulnerable systems or those networks in which they may have the greatest success spreading laterally post infection. However, it is important to note that we have not observed anything that substantiates the actor's exploitation of SMB-related vulnerabilities in observed attacks."

Proofpoint didn't name the targeted US utility providers, citing "ongoing investigations."

The company's report does, however, include indicators of compromise in the forms of domains, phishing lures, and malware file hashes, in case other utility providers want to scan their networks and see if they've been compromised.

The world's most famous and dangerous APT (state-developed) malware

Editorial standards