The notorious Chinese state-sponsored hacking group APT10, which is believed to act for the country's Ministry of State Security, is the most likely culprit behind a cyber campaign targeting U.S. utility companies in July. The disclosure on August 1 was made by researchers at Proofpoint, who warned that "persistent targeting of any entity that provides critical infrastructure should be considered an acute risk—the profile of this campaign is indicative of specific risk to U.S.-based entities in the utilities sector."
The spear-phishing campaign targeted company employees with emails purporting to be from the National Council of Examiners for Engineering and Surveying (NCEES), emails that claimed to be delivering professional examination results but which were actually delivering "malicious" Microsoft Word attachments. Threat researchers at Proofpoint broke the news and dubbed the command and control malware "LookBack."
According to Proofpoint's Michael Raggi and Dennis Schwarz, once the emailed Microsoft Word attachment is opened, a malicious VBA macro drops files onto the host computer which then provide the malware with the command and control framework needed to access data on the machine. The malware can attack and mimic a wide range of processes on an infected machine—primarily, though, the objective is to steal data files and take operational screenshots.
APT10 made headlines in June, when it was reported that the group had compromised the systems of at least ten cellular carriers around the world to steal metadata related to specific users linked to China. While no firm connection has yet been made between APT10 and this latest attack, Proofpoint's analysts found "similarities" between the macros used in this attack and those found to be targeting the Japanese media sector a year ago. LookBack "resembles a historic TTP utilized in those campaigns," the researchers explained, albeit the specific malware "has not previously been associated with a known APT actor."
In inferrring a link, the researchers noted the mix and match nature of the coding which suggests "an attempt to evade static signature detection—while maintaining the integrity of the installation mechanism, which had been historically been used to target different sectors and geographies." In other words, hackers attempting to hide the origins of their code without reducing its effectiveness.
So let's step back. These are not isolated incidents. We know there are now organized campaigns on the part of Chinese (and Russian, Iranian and North Korean) hackers to target critical infrastructure, financial services and aerospace and defense. We know that the current hybrid cyber warfare plays on many levels, and as the U.S. focuses on the military domain, state hackers from enemy states see the wider commercial sectors as far more vulnerable and effective a place to attack. Week by week, the extent of the vulnerabilities become ever clearer. And these are in addition to the broad-brush non-targeted nuisance campaigns as seen recently with warnings over Microsoft Outlook.
"While definitive attribution in this instance requires further study," the researchers conclude, "the risk that these campaigns pose to utility providers is clear." And these campaigns are well-conceived. An email that claims to be delivering failed examination results compels its recipient. These are highly-targeted attacks—some are designed to steal significant IP, others to plant vulnerabilities in sectors seen as key to everyday nation-state operations. Energy, utilities and communications are high on that list.
The wider energy sector has found itself front and center in the hybrid cyber warfare campaign that has extended the battlefield. In recent months, Russia has been the archvillain of those campaigns. But China plies its hacking trade widely, and so this latest disclosure comes as little surprise.
In the meantime, back to the specifics. "The utilization of this distinct delivery methodology," Proofpoint concluded, "highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers." There is a malicious campaign underway, it carries risk, and it's far from certain it has now been contained.
APT10—Advanced Persistent Threat 10—is known for long-term, targeted campaigns, harvesting information as might an actual state intel agency. While the disclosure focuses on the technical make-up of the malware, other questions surrounding the objective of the campaign itself remain unanswered. And with the malware now ready, there are countless other delivery guises that can be tried.