MSSP Alert is posting that last August 2019, Proofpoint researchers reported that three small US utilities had been hit with spear phishing attacks in July utilizing the LookBack malware. The malicious emails appeared to impersonate a US-based engineering licensing board and originated from a state sponsored (APT), threat actor-controlled domain. Subsequent Proofpoint analysis indicated that the hackers had targeted at least 17 US utilities from April to August 2019, based on new phishing emails its researchers uncovered. Some signs, all though uncertain, points to Hong Kong actors as the hackers. Proofpoint said the cyber attackers used similar tools as Chinese state sponsored hacking crew APT10.
The Wall Street Journal (WJS) recently identified by name at least a dozen of the facilities that were hit, a few of which are located near dams, locks and other critical infrastructure facilities and operate in 18 states. Some of the location-sensitive facilities include Michigan-based Cloverland Electric Cooperative; Klickitat Public Utility District in Goldendale, Washington; and, Basin Electric Power Cooperative in North Dakota.
According to the WSJ, Cloverland is located next to the Sault Ste. Marie locks. These locks are critical to the transportation of iron ore to US steel mills; Klickitat is located near federal dams and electric transmission lines that power California; and, Basin Electric sends electric power to US energy grids in the East and West coasts. Eleven of these utilities reported breaches. Close to a half of these utilities said that the FBI has warned them that they may have been targets. Some utilities claim they did not detect any suspicious emails yet are reported to have been targeted.
Media sources report that the FBI contacted most of these utilities and instructed them to scan their firewalls for signs of a breach. Wisconsin Rapids Water Works and Lighting Commission passed they had been probed in January and March of 2019 by someone testing the utility’s firewalls from a network located in Hong Kong. Other targeted facilities include ALP Utilities, in Alexandria, Minnesota; Cowlitz County Public Utility District in Longview, Washington; and, Flathead Electric Cooperative in Kalispell, Montana, the report said.
The US Department of Homeland Security (DHS) and the FBI have posted a number of warnings to critical infrastructure operators that foreign hackers are intent upon hitting the nation’s electricity grid. In March 2018, DHS and the FBI pushed a cyber alert referencing a campaign by Russian government cyber actors that targeted small commercial facilities’ networks with spear phishing attacks.
This 2019 information may be a prelude to future attacks on public utilities. Red Sky Alliance offers RedXray, RedXray-Plus and our CTAC tools to help you protect your network against outside cyber intrusion. For questions, comments or assistance and an assistance with RedXray/CTAC demonstration, please contact our office directly at 1-844-492-7225, or firstname.lastname@example.org