It has been reported by Proofpoint that 17 US utility firms have been hit by phishing attacks to install LookBack malware. While no formal attribution has been made, it is suspected that the state-sponsored group APT10 may be behind the attacks.
It has been reported by Proofpoint that 17 US utility firms have been hit by phishing attacks to install LookBack malware. While no formal attribution has been made, it is suspected that the state-sponsored group APT10 may be behind the attacks.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
This string of attacks against utility firms in the US demonstrates the constant threat critical national infrastructure is under. These businesses are responsible for some of the most critical public services, from energy to providing clean water. There is therefore huge potential for a hacker to inflict significant damage, not just to the firms but also to the general public. Also concerning is that the attacks are relatively simply, with only a slight change in the phishing email title from those which were exposed in July against three utility companies. Whilst these attacks are focused in the US, utility companies across the world should take heed and ramp up their defences.
Getting the basics right is fundamental for an improved security posture. Companies should start by educating their workforce on how to identify a phishing attack and ensuring this is integrated into daily working life. Critical industries also need a layered approach to cybersecurity, all the way down to a network level. This can help security teams identify malicious traffic entering and leaving their network, allowing them to quickly take steps to terminate a threat before damage is done.
We continue to see LookBack malware campaigns targeting the utility sector in the United States. Our analysis shows that these are APT actors using custom tools to target critical infrastructure. We’ve seen them demonstrate persistence in the face of public tool disclosure and unsuccessful targeting efforts.
In the most recent campaigns, we’ve seen the APT actors responsible for LookBack malware update their phishing techniques (macros) possibly to evade detection. It demonstrates that from a tool development standpoint they are attempting to improve and increase the success rates of their campaigns.
Despite the fact that the activities of this group have been found to be more extensive than was previously observed in August, we have still not seen sufficient evidence to attribute this activity to APT10. We have not observed confirmed APT10 activity since December 2018, when there were indictments against several of its operators.
Moreover, it seems unlikely that the group would resurface using outdated TTPs and lower levels of technical sophistication. Based on the information and data available, there is a difference in the malware and the level of technical skills demonstrated. Therefore, we cannot attribute this phishing campaign to our previous public reporting on APT10 targeted attacks Japanese corporations.
However, it is clear that whatever group is behind the attacks is operating with a high familiarity with the U.S utility sector or that they have conducted extensive reconnaissance against the industry. Even though the first wave of these attacks were first being made public in August, the sector continues to be at risk from targeting and should remain vigilant.