US utilities targeted with spear-phishing emails impersonating engineering licensing board

If you worked in a US company in the utilities sector and received an email notification telling you that you’ve failed your “Fundamentals of Engineering” NCEES exam, would you download the attached Word file to check what’s up? Would you do it even if you know that you took no such exam?

Would you tell yourself that maybe forgot to take it, maybe this was the notice that tells you that you forgot to take it, and now you’ve been failed for not attending? Would you think that they maybe sent the email to the wrong person/colleague and check the attached file for the name of said colleague?

APT attackers are counting on eliciting all those questions in workers’ mind and one of them swaying them into downloading and opening a malicious attachment.

Spear-phishing tricks

Proofpoint researchers spotted the aforementioned email targeting three US companies in the utilities sector between July 19 and July 25, 2019.

The emails were made to look like they were sent by the US National Council of Examiners for Engineering and Surveying (NCEES), an engineering licensing board, and from a domain that looks like it could belong to the organization (nceess[.]com).

But it doesn’t, and the attacked Word file uses macros to install and run malware a remote access Trojan (RAT) module and a proxy mechanism used for C&C communication. The RAT module would allow attackers to do things like take screenshots, move/click mouse, delet itself, shutdown, enumerate services, start them and delete them, find, read, delete and execute files, and more.

“We believe this may be the work of a state-sponsored APT actor based on overlaps with historical campaigns and macros utilized. The utilization of this distinct delivery methodology coupled with unique LookBack malware highlights the continuing threats posed by sophisticated adversaries to utilities systems and critical infrastructure providers,” the researchers noted.

“All emails originated from the IP address 79.141.168[.]137, which appears to be an actor-controlled IP utilized to host the phishing domain nceess[.]com. An examination of passive DNS and domain registration history for this domain identified additional domains that appeared to be actor registered, which also impersonated engineering and electric licensing bodies in the US. Among these domains, only nceess[.]com was observed in active phishing campaigns targeting utility companies.”

Phishing emails leveraged the knowledge of the licensing bodies utilized within the utilities sector for social engineering purposes that communicated urgency and relevance to their targets, the researchers pointed out.

The spoofed emails were also very timely, as targets could have been expecting results of an exam they took in April.

Electric utilities, oil and gas companies and other organizations that fall in the “critical infrastructure” category are constantly being probed by a number of specialized APT groups. ICS cybersecurity experts from Dragos are tracking the activity of four groups that are focusing on electric utilities around the world.