Skip to content ↓ | Skip to navigation ↓

Previous coverage of their tactics, techniques and procedures (TTPs) has failed to deter digital attackers in their efforts to target U.S. utilities with LookBack malware.

Between 21 August and 29 August 2019, Proofpoint observed several spear phishing emails targeting U.S. utilities. Those messages appeared to originate from globalenergycertification[.]net, an attacker-controlled domain designed to impersonate the Global Energy Certification (“GEC”) utilities licensing body. The emails used that disguise to trick recipients into downloading LookBack.

Specifically, the emails purported to be invitations for recipients to take the GEC exam administered by the Energy Research and Intelligence Institution. They used GEC branding and “Take the exam now” as their subject line to lull recipients into a false sense of security so that they would open a Microsoft Word attachment. That document, labeled “take the exam now.doc,” contained VBA macros that downloaded LookBack, malware which enables bad actors to view information stored on an infected host.

A copy of the GEC-themed phishing email. (Source: Proofpoint)

This isn’t the first time that Proofpoint has come across LookBack. In fact, the macros observed in this campaign were mostly the same as those used in another attack wave detected by the security firm back in July. Proofpoint responded to this initial discovery by profiling the campaign’s delivery mechanism, exploitation stage and use of LookBack to prey on three U.S. utility organizations.

But as Proofpoint noted in its latest research, its July analysis failed to deter bad actors from conducting additional malware campaigns:

Newly discovered LookBack campaigns observed within the US utilities sector provides insight into an ongoing APT campaign with custom malware and a very specific targeting profile. The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset…. [A]t the current moment, the creators of LookBack malware are yet to depart from their persistent focus on critical infrastructure providers in the United States.

This revelation highlights the need for utility organizations to defend themselves against LookBack campaigns as well as other malicious hacking campaigns. Towards that end, they should invest in a security solution capable of securing controllers, network devices and endpoints as well as assessing the industrial environment for digital security risks. Learn how Tripwire can help in that regard.