Looking deeper into the LookBack attack first reported in August, this week The Wall Street Journal’s Rebecca Smith and Rob Barry reported that more than a dozen U.S. utilities were targets, not three as originally identified. According to an article in Sunday’s Wall Street Journal, most of the targets were smaller utilities operating in “18 states from Maine to Washington.”
Here’s what we now know about the LookBack malware campaign.
Many More Utilities Targeted by the LookBack Malware
The new reporting on LookBack indicates that the malware targeted more than a dozen utilities, including:
- Cloverland Electric Cooperative in Michigan, which sits next to the Sault Ste. Marie Locks, a critical juncture for the transport of iron ore to U.S. steel mills
- Klickitat Public Utility District in Washington state, which is near major federal dams and transmission lines that funnel hydroelectricity to California
- Basin Electric Power Cooperative in North Dakota, one of the few utilities that can deliver electricity to both the nation’s eastern and western grids
Clearly, if any of the attacks had been successful, the consequences to daily life and the economy could have ranged from significant to severe.
How the LookBack Malware Works
LookBack is a Remote Access Trojan (RAT) that relies on a proxy communication tool to relay data from the infected host to a command-and-control server (C2). The malware can view process, system and file data; delete files; take screenshots; move and click the infected system’s mouse; reboot machines; and delete itself from an infected host. Researchers said that it deploys tactics once used by known APT (Advanced Persistent Threat) adversaries targeting Japanese corporations in 2018 – which highlights the rapidly evolving nature of malware and its use by nation-state actors.
The Microsoft Word document attached to the phishing emails contains a VBA macro that drops three different Privacy Enhanced Mail (PEM) files when executed. Certutil.exe is then dropped to decode PEM files, which are later restored to their true extensions using essentuti.exe.
The files then impersonate the name of an open-source binary used by common tools like Notepad++, which contains the C2 configuration. Finally, the macro runs GUP.exe and libcurl.dll to execute the LookBack malware. Once executed, LookBack can send and receive numerous commands, such as Find files, Read files, Delete files, Write to files, Start services, and more.
LookBack started with a spearphishing campaign, however The Wall Street Journal (The Journal) found that some impacted utility managers they talked to weren’t worried about LookBack, because malicious emails come with the territory. Chuck Zane, an IT director for Cloverland, told The Journal that malware is inside 60% of the email their server receives. “The odds of those emails making it to a desktop are slim,” he said.
Spearphishing is a common tactic used by an attacker when trying to first gain access to a utility’s network. It is also generally an indication that the attacker does not have any persistence within the network. However, it may be a little too optimistic to believe that the probability of a phishing email making its way to a desktop is low.
The Dangers of Spearphishing
In North America, public email addresses and corporate laptops that receive those emails, are prohibited from connecting to vital energy networks without first undergoing a baselining process required by CIP (critical infrastructure protection).
But a skilled attacker would use corporate email phishing attacks to gain network level access to servers and attached data storage that might contain something called BCSI (bulk electric system cyber system information). This can help an attacker find drawings of networks and is where core services can be interrupted or even accessed remotely.
BCSI is how utilities plan the future growth of power grids. Access is required to be audited, but if attackers can digitally clone themselves as a trusted utility worker, they could potentially gain access to how the network protects and maintains power grid operations, while remaining unaccounted for.
Electric Utilities Need to Defend Against Spearphishing Attacks
In the face of government concerns that the nation’s electricity grid is an attractive target for hackers, LookBack is proof that the threat is real and that no matter the size, utilities must be prepared. The good news is most utilities are taking the threat seriously.
As Chuck Zane points out, they receive these kinds of attempts all the time. Many utilities have state-of-the-art employee email filtering systems to keep phishing emails out and are taking other significant steps to ensure their security postures are strong. And while in general security budgets and better IT/OT collaboration are places for improvement, the single largest threat to utility security is human nature. We want to believe “this email can’t be bad” or “how could I possibly be the target?” but that mindset can quickly get your organization into trouble.
What’s unique about LookBack is that it provided a glimpse into how the attacker was planning their campaigns. The actual infection methodology used is extremely common. Electric utilities should expect more attacks of this nature, with artful campaigning at the heart of them.
- SecurityWeek Article: New LookBack Malware Used in Attacks Against U.S. Utilities Sector
- Threatpost Article: Nation-State APTs Target U.S. Utilities With Dangerous Malware
- Blog: IEC 62351 Standards for Securing Power System Communications
- Blog: Advancing IEC Standards for Power Grid Cyber Security
- Webpage: Real-time Visibility and Cyber Security for Electric Utilities
- Webpage: Mitigating ICS Cyber Incidents
- Webpage: Nozomi Network Labs
- Webpage: Threat Intelligence