The notorious Chinese state-sponsored hacking group APT10, which is believed to act for the country’s Ministry of State Security, is the most likely culprit behind a cyber campaign targeting U.S. utility companies in July. The disclosure on August 1 was made by researchers at Proofpoint, who warned that “persistent targeting of any entity that provides critical infrastructure should be considered an acute risk—the profile of this campaign is indicative of specific risk to U.S.-based entities in the utilities sector.”
The spear-phishing campaign targeted company employees with emails purporting to be from the National Council of Examiners for Engineering and Surveying (NCEES), emails that claimed to be delivering professional examination results but which were actually delivering “malicious” Microsoft Word attachments. Threat researchers at Proofpoint broke the news and dubbed the command and control malware “LookBack.”
According to Proofpoint’s Michael Raggi and Dennis Schwarz, once the emailed Microsoft Word attachment is opened, a malicious VBA macro drops files onto the host computer which then provide the malware with the command and control framework needed to access data on the machine. The malware can attack and mimic a wide range of processes on an infected machine—primarily, though, the objective is to steal data files and take operational screenshots.
APT10 made headlines in June, when it was reported that the group had compromised the systems of at least ten cellular carriers around the world to steal metadata related to specific users linked to China. While no firm connection has yet been made between APT10 and this latest attack, Proofpoint’s analysts found “similarities” between the macros used in this attack and those found to be targeting the Japanese media sector a year ago. LookBack “resembles a historic TTP utilized in those campaigns,” the researchers explained, albeit the specific malware “has not previously been associated with a known APT actor.”