On the heels of a recent announcement by the North American Electric Reliability Corporate, providing details of a cyber event in March that adversely impacted a utility in the western United States, Proofpoint, a security firm, released a report in late September providing details on a hacking campaign that targeted 17 U.S. utilities between April 5 and August 29 of this year. Prior to this latest report, Proofpoint had identified three targeted utilities.
The hacks, called “LookBack,” employed previously unknown techniques, followed up by phishing attempts.
“Phishing tactics, techniques, and procedures (TTPs) observed in these campaigns are consistent with previously reported activity,” said Proofpoint in its report. “Persistent targeting of entities in the utilities sector demonstrates the continuing risk to US organizations from the actors responsible for LookBack.”
Furthermore: “The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset,” said Proofpoint in its report. In addition, the focus continues to be U.S. utilities, rather than other entities or utilities in other countries.
The concern, of course, is warranted, especially since it is known what hackers can accomplish. Four years ago, for example, Ukraine’s electric grid was attacked, leading to a lengthy blackout that affected approximately 250,000 people.
“Newly discovered LookBack campaigns observed within the US utilities sector provides insight into an ongoing APT [advanced persistent threat] campaign with customer malware and a very specific targeting profile,” said the report. “In addition to the technical commonalities observed, distinct commonalities among the organizations targeted have begun to emerge. The evolution of TTPs including updated macros demonstrates a further departure from tactics previously employed by known APT groups. However, at the current moment, the creators of LookBack malware are yet to depart from their persistent focus on critical infrastructure providers in the United States.”