Hackers that may be state-sponsored tried to spearphish three companies in the U.S. utility sector last month, cybersecurity company Proofpoint said Thursday.
The malware-laced emails were sent from July 19 to July 25 and appeared to impersonate a national association that facilitates engineering exams, Proofpoint researchers said. A Microsoft Word document attached to the emails contained a remote access trojan capable of deleting files, taking screenshots, rebooting a machine, and deleting itself from an infected network, among other attributes.
Sherrod DeGrippo, Proofpoint’s senior director of threat research and detection, told CyberScoop that her company blocked the spearphishing attempts on the three companies, which are Proofpoint customers. However, she said, “it is likely that this campaign extended to multiple utilities outside of our purview.”
It is unclear who is behind the phishing operation. There are similarities between the macros used in this campaign and targeting carried out last year by a Chinese government-linked group against Japanese companies, Proofpoint said. Researchers and U.S. officials have tied the group, known as APT10, to China’s civilian intelligence agency, and have blamed it for a series of data-stealing attacks on Western companies.
But there is far from a definitive link between the new activity and APT10, and Proofpoint analysts said the malware they found isn’t associated with a known state-sponsored hacking group. Further, no other infrastructure or code overlaps “were identified to suggest attribution to a specific adversary,” they said.
Sarah Jones, a principal analyst at FireEye, the cybersecurity company that reported on APT10 activity in Japan, agreed that “the macros used in the incident described by Proofpoint are highly similar to the macros used by APT10 in 2018.” Nonetheless, Jones told CyberScoop, “we also concur that the malware is in fact different than what was used previously in 2018. At this time, we cannot definitively attribute this to APT10 or any other named group.”
Proofpoint researchers Michael Raggi and Dennis Schwarz said the profile of the phishing campaign “is indicative of a specific risk to U.S.-based entities in the utilities sector. Phishing emails leveraged knowledge of the licensing bodies utilized within the utilities sector for social engineering purposes that communicated urgency and relevance to their targets.”
The phishing emails flagged by Proofpoint purported to be from the National Council of Examiners for Engineering and Surveying, a South Carolina-based nonprofit.
In an email to CyberScoop, NCEES CEO David Cox said he was not aware of the spearphishing or the Proofpoint research.
“We have not contacted the recipients of the malicious emails because we don’t know who received them,” Cox wrote. “We have not had any notification from utility companies or any individuals about the suspicious emails.”
The NCEES does not notify test-takers of their exam results by email, as the hackers were purporting to do, he said.
“We are posting a notice on our website in case anyone else is affected by this issue, and we are sending email notifications to recent examinees to alert them to the issue and remind them that NCEES does not send exam results via email,” Cox added.
The discovery comes as multiple government-affiliated hacking groups continue to take an interest in electric utilities and the oil and gas sector. In June, cybersecurity company Dragos warned that the notorious group behind the Trisis malware, which is designed to disrupt industrial safety systems, had expanded its targeting to include U.S. electric utilities.
UPDATE, 08/02/19, 10:36 a.m. EDT: This story has been updated with a comment from the National Council of Examiners for Engineering and Surveying.