Chinese State Hackers Suspected Of Devious New Attack On U.S. Companies

Chinese state-sponsored hacking group APT10 is the most likely suspect for yet another attack on the U.S. utilities sector. The latest attack in late-August was disclosed today [September 23] by researchers at Proofpoint. It is an almost exact replica of an attack on the same sector earlier this year attributed to APT10—albeit not definitively, and so the same logical conclusion can be drawn this time around.

Dubbed LookBack by the security researchers, both attacks have used spear-phishing emails that purport to be from professional examination boards and which deliver Microsoft Word attachments laced with malware. "We continue to see LookBack malware campaigns targeting the utilities sector in the United States,” warned Proofpoint VP Kevin Epstein. “We’ve seen them demonstrate persistence in the face of public tool disclosure and unsuccessful targeting efforts."

In early August, I reported on the last attack, which used emails appearing to come from the National Council of Examiners for Engineering and Surveying (NCEES), delivering professional examination results. This time the emails impersonated the Global Energy Certification (“GEC”) examination body.

"In the most recent campaigns,” Epstein explains, “we’ve seen the APT actors responsible for LookBack malware update their phishing techniques (macros) possibly to evade detection. It demonstrates that from a tool development standpoint they are attempting to improve and increase the success rates of their campaigns."

According to Proofpoint, the latest attack targeted “at least 17 entities in the U.S. utilities sector,” between August 21 and 29, with the emails originating from “what appears to be an actor-controlled domain.” The threat actors conducted targeted reconnaissance against their targets to scan for security vulnerabilities. One can assume the attacks were then tailored accordingly.

In this campaign, emails “utilized the GEC logo and originated from an email address at the domain globalenergycertification[.]net, which spoofs the legitimate domain globalenergycertification[.]org.” This is the same concept of operations as the last attack, with the details switched around. These emails were entitled “Take the exam now,” with a Microsoft Word attachment hosting the LookBack VBA macros.

A further word of warning from Proofpoint this time around: “Unlike earlier campaigns, actors attached a legitimate and benign PDF file for exam preparation which was also hosted on the legitimate GEC site. It is likely that this represents social engineering efforts by the actors to legitimize the email to recipients.”

This is another example of threat actors adapting their techniques to trick the recipients of their emails into trusting the content and opening the attachments. By mixing legitimate content with dangerous content, and by targeting a specific user base with a believable message, there is a significantly greater chance of success.

There are plenty of further similarities with the attack from a few weeks earlier, including the VBA macros themselves and “similar obfuscation with concatenation commands that made the macros difficult to detect with static signatures.”

Proofpoint warns that this “insight into an ongoing APT campaign” is indicative of new waves of highly targeted attacks, which “demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset.” Let’s face it, to repeat an attack along almost identical lines just a few weeks after the last one was discovered is a bold move.

APT10 made headlines earlier this year for compromising the systems of at least ten cellular carriers to steal metadata associated with a targeted list of users linked to China. As last time, there is no firm connection to the Chinese group, but last time the researchers found "similarities" between the macros used in this attack and those found to be targeting the Japanese media sector a year ago, with LookBack "resembling a historic TTP utilized in those campaigns." And so, if the last attack was down to China’s APT 10 then this attack will likely be as well.

As I reported last time around, APT10 is known for long-term, targeted campaigns, and it is clear that the U.S. utilities sectors now represents just such a target. It would have been more effective to shift to a different sector so soon after the last discovery, but the group clearly has specific objectives. If the same approach is tried again in the near term without much variance, we really will be in interesting territory. And one hopes that employees in the utilities sector are being warned and trained accordingly.