Hackers Targeting US Utilities Sector with Spear Phishing Campaign

Hackers impersonating the US National Council of Examiners for Engineering and Surveying (NCEES) are targeting business in the US utility sector through a new phishing campaign. 

Between July 19 and July 25 2019, the hackers sent phishing emails to three utility companies in the US. In each case, the hackers attempted to infect the organization’s computers with a new malware variant called LookBack. 

The email has many of the signatures of a classic phishing email; the message states that the recipient had failed an NCEES examination and must take urgent action. The recipient is then instructed to open an attached Word Document, entitled Result Notice.doc. The emails were sent from a spoof email address created by the hacker to closely resemble a true NCEES account-nceess[doc]com. The hackers also carefully designed the email to increase its creditability and included the official NCEES logo. An unsuspecting recipient may have fallen for the scam, especially considering how legitimate the email address appears upon first glance. 

Once the document is opened, a VBA macro downloads a new malware variant, LookBack, consisting of a remote access Trojan (RAT), a command and control proxy tool, malware loader, and communications module for communicating with its command and control server.

Trojan horses are malware disguised as harmless software. Hackers usually install them under false pretences, tricking the user into believing that they serve a legitimate purpose. Once executed on a server, the hacker can then gain access to the system and steal valuable information for nefarious purposes.

The RAT is written in C++ and is capable of finding, reading, deleting, writing to, and executing files, starting and stopping services, enumerating services, taking screenshots, and performing mouse moves and clicks. LoockBack is also capable of deleting itself or forcing the device to shut down or reboot.

Proofpoint researchers analyzed the malware and produced a report on their website detailing the technical aspects of the phishing campaign. The researchers noted several similarities in the macros and malware code to past attacks by state-sponsored APT groups on companies in Japan 2018. Further investigation is needed before more information is released on the APT group and nation-state suspected of being behind the campaign.

The 2018 attacks were attributed to the Chinese cyber espionage group APT10 by researchers at FireEye, although no concrete links have been found between that group and the latest attacks

The campaign targeted three utility firms in the United States between July 19 and July 25, and in all instances, the malware was intercepted and neutralized.

“The risks facing utility companies, and their individual employees, are widespread and a successful attack could have extensive implications across both the private and public sectors,” said Sherrod DeGrippo, senior director of Threat Research and Detection, Proofpoint. “These attacks are sophisticated, clearly leveraging extensive research and industry knowledge by an actor who has investigated and collected data on individual targets and NCEES.”