Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hacker Group Targeted U.S. Utilities in Two Parallel Campaigns

Malicious attacks targeting the United States utilities sector last year were observed employing a previously unknown malware family that allows hackers to take over compromised systems, Proofpoint reports.

Malicious attacks targeting the United States utilities sector last year were observed employing a previously unknown malware family that allows hackers to take over compromised systems, Proofpoint reports.

Dubbed FlowCloud, the remote access Trojan (RAT) was used by the same threat actor that used the LookBack malware in campaigns targeting U.S. utilities providers last year. In fact, it appears that the adversary used both malware families in different campaigns running at the same time.

The fact that both FlowCloud and LookBack are operated by the same threat actor, referred to as TA410, was evidenced by common attachment macros and malware installation techniques, as well as overlapping delivery infrastructure identified in an analysis of phishing campaigns carried out between July and November 2019.

“Both the FlowCloud and LookBack campaigns targeted utility providers in the United States. Both used training and certification-themed lures. And both used threat actor-controlled domains for delivery. In some cases, both FlowCloud and LookBack campaigns targeted not only the same companies but also the same recipients,” Proofpoint explains.

FlowCloud includes the ability to access installed applications, files, services, and processes, as well as the keyboard, mouse, and user’s screen. Moreover, it can exfiltrate data to its command and control (C&C) server.

As part of campaigns observed between July and September 2019, the attackers used portable executable (PE) attachments and subject lines such as “PowerSafe energy educational courses (30-days trial)” to deliver the FlowCloud malware.

In November, the threat actor changed delivery tactics, adopting Microsoft Word documents carrying malicious macros instead. These resembled the delivery and installation macros used in LookBack malware campaigns. The email messages delivering them were also similar.

FlowCloud is a multi-stage payload that provides functionality based on available commands. The malware appears to have been in use since at least July 2016 and Proofpoint believes that it might have been used in attacks in Asia before being employed in the targeting of the U.S. utilities sector.

The malware, which appears to have been under development for numerous years, is compatible not only with recent Windows iterations, but also with older versions of Microsoft’s platform, such as Windows Vista and prior.

Proofpoint also discovered that FlowCloud handles configuration updates, file exfiltration, and commands as independent threads and that it uses a custom binary C&C protocol.

While investigating the attacks, the security researchers identified numerous similarities with China-linked APT10 campaigns, but they believe that TA410 might have used publicly disclosed information on APT10’s activity to plant false flags.

“All observed TA429 (APT10) similarities and indicators of compromise were available publicly prior to the start of TA410 campaigns. Therefore, while not conclusive from current analysis, the possibility remains that these overlaps represent false flag activity by the TA410 threat actor,” Proofpoint notes.

The threat actor, the researchers note, is also investing into evolving phishing tactics to increase the effectiveness of their campaigns. TA410 appears to be an established entity with mature toolsets, capable of carrying out long term campaigns against highly important targets.

Related: Additional U.S. Utilities Targeted With LookBack Malware

Related: New “LookBack” Malware Used in Attacks Against U.S. Utilities Sector

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona