New research shows more utility companies are being targeted by phishing emails

Written by

A set of possibly state-sponsored hackers has targeted a much longer list of U.S. utility-sector organizations than previously documented, according to cybersecurity company Proofpoint, underscoring the steady interest that well-resourced hackers have in U.S. critical infrastructure.

From April to August, the unidentified hackers have targeted at least 17 entities in the sector, Proofpoint said. The tally jumped from the three utilities the company reported on in August after a fresh batch of phishing emails was found.

Proofpoint is unsure who is behind the spearphishing attempts, but described the activity as an “advanced persistent threat” campaign — a label used to denote state sponsorship. Proofpoint has said there are similarities between macros used by the attackers and activity last year from APT10, a group tied to China’s civilian intelligence agency. The link between the two, however, is far from conclusive.

“Our analysts did not observe additional code overlap or infrastructure reuse that would cement attribution to a known APT group,” Sherrod DeGrippo, senior director on Proofpoint’s threat research and detection team, told CyberScoop.

As with the previous email lures, the senders posed as a utility-sector certification organization. They masqueraded as representatives of the Global Energy Certification (GEC), an online training and certification for the energy industry. The phishing emails used the GEC logo and included a benign attachment alongside a malicious one to try to lull the targets into a false sense of security.

DeGrippo said that Proofpoint blocked all of the attempted attacks on its customers, but that it was unclear if other organizations were compromised in the ongoing campaign. She declined to characterize the size of the organizations targeted, citing ongoing investigations.

GEC did not respond to questions on whether the organization was aware of the phishing and what they’ve done in response.

The attackers used the same computer server to deliver their malware in both campaigns, according to Proofpoint. The malware, known as LookBack, comprises a remote access trojan that allows for a “range of data exfiltration,” DeGrippo told CyberScoop.

Despite being publicly called out last month, the hackers have updated their lures “with new impersonation tactics and enhanced obfuscation,” she added.