Researchers at Proofpoint have observed a state-sponsored spearphishing campaign targeting three US utilities companies. The emails convincingly posed as exam results from the National Council of Examiners for Engineering and Surveying (NCEES), informing the recipient that they’ve failed a “Fundamentals of Engineering” exam. The recipient is asked to open the attached Word document to see “information on how to proceed with the licensing process in your state.”
These Word documents contained malicious macros that delivered a new strain of malware Proofpoint calls “LookBack.” LookBack is a remote access Trojan that allows “enumeration of services; viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host.”
Proofpoint notes that LookBack’s behavior is similar to that exhibited by malware analyzed by FireEye last year, which FireEye attributed to the Chinese espionage group APT10. The Proofpoint researchers say they don’t have enough evidence to attribute LookBack to a specific group, still less to a specific nation-state, but they do believe the campaign is state-sponsored.
The emails in this campaign were sent from nceess[.]com, which spoofs the legitimate ncees.org. Based on domain registration history, Proofpoint found that the same actor had registered other domains “which also impersonated engineering and electric licensing bodies in the US.” The researchers say this demonstrates a wider focus on the US utilities industry.
“The profile of this campaign is indicative of specific risk to US-based entities in the utilities sector,” they write. “Phishing emails leveraged the knowledge of the licensing bodies utilized within the utilities sector for social engineering purposes that communicated urgency and relevance to their targets. Persistent targeting of any entity that provides critical infrastructure should be considered an acute risk with a potential impact beyond the immediate targets. Since so many other individuals and sectors rely on these services to remain operational safeguarding them is paramount.”
Nation-state threat groups are relentless, and they possess the skills and resources necessary to carry out highly targeted social engineering attacks. New-school security awareness training is an essential layer of defense for all organizations, especially for companies that operate critical infrastructure.