Threat Update – LookBack RAT Still Targeting U.S. Utilities

As WaterISAC shared in its August 6 Security and Resilience Update, the LookBack remote access trojan has a penchant for targeting U.S. utilities. Likewise, WaterISAC is aware of at least one member utility that received an email consistent with activity described in the LookBack campaign. The email purported to be from a state water sector association, Florida Rural Water Association (FRWA). Cybersecurity firm Proofpoint has identified at least 17 entities in the U.S. utilities sector targeted by these actors from April 5 through August 29, 2019. Activity in the first campaign identified by Proofpoint purported to come from the National Council of Examiners for Engineering and Surveying (NCEES), a business that handles professional licensing for engineers and surveyors. In a recent campaign between August 21 and August 29, 2019, several spear phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain masqueraded as the legitimate domain for Global Energy Certification (“GEC”); GECs official domain ends in [.]org. The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. Proofpoint determined a new TTP involving scanning activity for SMB over IP via port 445 up to two weeks prior to the arrival of phishing emails. Perch users subscribed to the WaterISAC Community will be able to detect these additional LookBack IoCs within their environments. All members are encouraged to check networks and report similar activity, especially if dealing with NCEES, FRWA, GEC or similar sector-specific organizations. For additional details regarding reconnaissance, delivery, and exploitation, read the post at Proofpoint