A new piece of advanced espionage malware, possibly developed by a nation-supported attacker, targeted three US companies in the utilities industry last month
Between July 19 and July 25, 2019, several spear phishing emails were identified targeting three US companies in the utilities sector. The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com.Nceess[.]com is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious Microsoft Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed “LookBack.” This malware consists of a remote access Trojan (RAT) module and a proxy mechanism used for command and control (C&C) communication. We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized. The utilization of this distinct delivery methodology coupled with unique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers.
The detection of a new malware family delivered using phishing tactics once used by known APT adversaries highlights a continuing global risk from nation-state actors. While definitive attribution in this instance requires further study of infrastructure, toolsets, and methodologies, the risk that these campaigns pose to utilities providers is clear. The profile of this campaign is indicative of specific risk to US-based entities in the utilities sector. Phishing emails leveraged the knowledge of the licensing bodies utilized within the utilities sector for social engineering purposes that communicated urgency and relevance to their targets. Persistent targeting of any entity that provides critical infrastructure should be considered an acute risk with a potential impact beyond the immediate targets. Since so many other individuals and sectors rely on these services to remain operational safeguarding them is paramount. Analysts continue to monitor key entities in the utilities sector to identify and prevent these and similar attacks in the hopes of preventing any intended impact to critical infrastructure.