Between July 19 and July 25, there was a barrage of attacks targeting American utilities companies. The group behind the attack is believed to be APT10, a Chinese state-sponsored hacking group working for the country’s Ministry of State Security. APT10 is also credited with compromising telecom firms around the world stealing client data and information China deeps important.
This attack is linked to APT10 due to past attacks and the macros used in this attack. The malware used in attack, LookBack, has not been attributed to any one group yet. There was an attack where in 2018, where APT10 might have used LookBack on Japanese corporations. Therefore, it is highly possible, that the group behind LookBack is APT10; they also may be behind the attacks on American utility companies.
LookBack, a form of malware that uses a remote access Trojan written in C++. It relies on a proxy communication tool to relay data from the infected computer to a command and control IP. This means that LookBack has a can be send the information from the compromised computer to the attacker. It sends the information back to the home base of the adversary. After LookBack completes its mission, it can reboot the machine and delete itself from the infected computer. Once LookBack is deleted from the infected computer, it becomes difficult for the organization to detect an compromise.
Since the release of the LookBack, three American utility companies have been targeted using with this malware. The attack commences by fraudulent emails sent from a false domain for the US National Council of Examiners for Engineering and Surveying. This strategy is used to trick email recipients into thinking illegitimate emails are real, causing them to open them.
The emails tricked people by stating that they were delivering professional examination results in Microsoft Word attachments. These attachments were malicious and installed LookBack on computers that opened it. After, the LookBack is installed, it uploads VBA macros on the user’s computer. VBA macros leave Privacy Enhanced Mail or PEM files on the compromised computer. PEM files assist LookBack to access data on the system.
The utility industry in the United States and the world has always been vulnerable. There were past attacks in the Ukraine and other countries, where one country targeted the other country’s utility companies. In one attack by Russia targeting the Ukrainian power grid, the power was out for several hours. This strategy has been used in and out of wartime from using bombs to sabotage the opposing country’s power grid to hacking the power grid to bring it down. These attacks could cause the power grid to be offline for hours depending on the scale of the attack. Further, if a foreign power targeted the heat during the middle of winter, people could be without heat when it is needed until it is possible to get this utility back online. Further, the impact LookBack can have is significant an
If your company has been targeted by malware or a phishing campaign, contact LIFARS.