The Chinese state-sponsored hacking group APT10 is suspected to be involved in an August attack on U.S. utilities companies, a report revealed last week.
The intrusion techniques used for the hacks appeared to resemble those used in a previous hack this year, according to Forbes. The cyberattacks against at least 17 reported U.S. utility companies used “spear phishing” techniques, mimicking emails from committees known to conduct professional evaluations and certification boards.
Cybersecurity firm Proofpoint determined the attacks were carried out by “a state-sponsored APT actor” and went on between Aug. 21 and Aug. 29 and used a similar method to those used in another attack at the beginning of August.
A previous cyber attack is believed to have been carried out by APT10, though it was not definitively proven the first time around. The first attempt reportedly used mimicked emails from the National Council of Examiners for Engineering and Surveying (NCEES). The most recent attacks used emails impersonating the Global Energy Certification (GEC).
The apparent similarity of the two cyberattacks, both using “LookBack” malware attached to apparently official emails, have led cybersecurity experts at Proofpoint to against suspect APT10, according to Forbes.
“We continue to see LookBack malware campaigns targeting the utilities sector in the United States,” Proofpoint VP Kevin Epstein told Forbes reporters, following the cyber attack. “We’ve seen them demonstrate persistence in the face of public tool disclosure and unsuccessful targeting efforts.”
The fake emails used the GEC logo and came from an email domain globalenergycertification[.]net, similar to the official globalenergycertification[.]org domain. The email included the malware link to a certification exam, as well as a benign attachments, like a legitimate study guide for the exam; the latter of which was likely meant as a “social engineering” method to further earn the trust of those recipients of the malware emails.
The benign attachments represent an adaptation of the cyber attacker’s continued hacking methods over their previous attempts.
When “LookBack” malware attachments are opened, they can go on to run commands to find, read, and delete files, as well as plant new files and initiate other services on a computer system, according to Security Boulevard.
Proofpoint believes these particular malware cyberattacks were surveying for security vulnerabilities in the U.S. utility companies.
APT10 was also alleged to have hacking ten different global cellular carriers, in an effort to extract metadata, according to prior Forbes reporting in June. Those cellular hacks apparently sought metadata from Chinese dissidents.
The cellular carriers targeted in the attacks included European, African, Middle Eastern and Asian companies. No U.S. cellular carriers were reportedly targeted.
The hacking methods are persistent, reportedly resembling a game of “cat and mouse.” When the cyber attacks are initially detected, the threat actors will stop the attack, only to later resume their methods.
In March of 2018, U.S. officials determined China has returned to its cyberattack methods against businesses, universities and defense industry members, in violation of a 2015 agreement against the use of cyberattacks to steal intellectual property.