A set of possibly state-sponsored hackers has targeted a much longer list of U.S. utility-sector organizations than previously documented, according to cybersecurity company Proofpoint, underscoring the steady interest that well-resourced hackers have in U.S. critical infrastructure.
From April to August, the unidentified hackers have targeted at least 17 entities in the sector, Proofpoint said. The tally jumped from the three utilities the company reported on in August after a fresh batch of phishing emails was found.
Proofpoint is unsure who is behind the spearphishing attempts, but described the activity as an “advanced persistent threat” campaign — a label used to denote state sponsorship. Proofpoint has said there are similarities between macros used by the attackers and activity last year from APT10, a group tied to China’s civilian intelligence agency. The link between the two, however, is far from conclusive.
“Our analysts did not observe additional code overlap or infrastructure reuse that would cement attribution to a known APT group,” Sherrod DeGrippo, senior director on Proofpoint’s threat research and detection team, told CyberScoop.
As with the previous email lures, the senders posed as a utility-sector certification organization. They masqueraded as representatives of the Global Energy Certification (GEC), an online training and certification for the energy industry. The phishing emails used the GEC logo and included a benign attachment alongside a malicious one to try to lull the targets into a false sense of security.
DeGrippo said that Proofpoint blocked all of the attempted attacks on its customers, but that it was unclear if other organizations were compromised in the ongoing campaign. She declined to characterize the size of the organizations targeted, citing ongoing investigations.
In an email to CyberScoop, Max Krangle, the director of NRG Expert, an energy-research company that owns GEC, said he was unaware that the hackers were spoofing GEC’s domains.
“It looks as if a hacker has acquired a domain we do not own [we own the .com and .org versions], and spoofed our intellectual property to the energy community,” Krangle said. “It is very disappointing to hear that our intellectual property has been misused in this way.”
NRG Expert will be warning its subscribers and customers “to be on the look-out for this fraudulent activity,” he added.
The attackers used the same computer server to deliver their malware in both campaigns, according to Proofpoint. The malware, known as LookBack, comprises a remote access trojan that allows for a “range of data exfiltration,” DeGrippo told CyberScoop.
Despite being publicly called out last month, the hackers have updated their lures “with new impersonation tactics and enhanced obfuscation,” she added.
UPDATE, 09/24/19, 09:51 a.m. EDT: This story has been updated with comment from NRG Expert.