3645250624?profile=RESIZE_710xBeginning in July 2019, Proofpoint began tracking a phishing campaign targeting US power utility companies. The campaign, dubbed “Lookback” involved malicious emails leveraging a Microsoft Word attachment that uses macros to deliver the Lookback malware. At least 17 power utility companies have been targeted by this campaign, representing a growing threat to the US power grid.[1]


Analysts at Proofpoint have uncovered an ongoing campaign targeting US power utility companies with spear phishing emails delivering a custom malware payload. The campaign has been active since April 2019, with new emails sent as recently as late August. The threat actors involved in this campaign performed reconnaissance up to two weeks before sending the malicious emails by scanning targets using a staging IP on port 445 (SMB over IP).[2]

3645248464?profile=RESIZE_710xFigure 1. Lookback Phishing Email

Actors then sent spear phishing emails to targets with social engineering spoofing the Global Energy Certification (GEC) administered by the Energy Research and Intelligence Institution, a legitimate entity. The emails used the GEC logo and were sent from email addresses using the domain, globalenergycertification[.]net, a typosquat of the real domain, globalenergycertification[.]org. The contents of the emails prompted victims to complete the certification by taking an exam, and contained a malicious Microsoft Word document attachment that used VBA macros to install the embedded Lookback malware modules.[3] The Lookback malware configures  a local host proxy and performs remote access Trojan functions. All of the LookBack specimens from this campaign leverage same C2 IP address, 103.253.41[.]45, and URL format, hxxp://%s/status[.]gif?r=%d in their beacons.[4]

This campaign comes just as the North American Electric Reliability Corporation (NERC) announced that a March attack on the US power grid was the first of its kind to successfully disrupt grid network operations thanks to an unpatched firewall vulnerability.[5] A recent audit from the Government Accountability Office reports that  industrial control systems that are integrated in the US electric grid are now more vulnerable than ever to cyberattacks due to the addition of remote access features.[6]

Additionally, foreign threat actors looking to target US critical infrastructure are growing in number and sophistication, and are elevating their attack capabilities. The U.S. Senate Committee on Energy and Natural Resources recently announced it is seeking legislation to provide $250M for Utility Cyber spending in order to ramp up defenses against these kind of attacks.[7]


The new Lookback phishing campaign represents a highly targeted Advanced Persistent Threat (APT) carried out by experienced threat actors. It is part of a growing trend involving targeted attacks against US power utilities, and it is expected that these entities will continue to be targeted. Wapack Labs offers analytic monitoring tools, such as RedXray, that can notify companies of incoming threats. Of the top ten largest utility companies in the US, all ten had hits in RedXray, for a total of nearly 1,000 hits, including breached accounts, malicious emails, and potential malware infections. Monitoring these hits can provide an early warning and can help protect against network attacks.  

Wapack Labs is located in New Boston, NH.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com        

The full report can be downloaded here: TIR-19-277-001_Lookback_Phishing_Campaign.pdf

[1] https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals

[2] Proofpoint

[3] Proofpoint

[4] Proofpoint

[5] https://www.zdnet.com/article/cyber-security-incident-at-us-power-grid-entity-linked-to-unpatched-firewalls/

[6] https://www.govinfosecurity.com/gao-raises-concerns-about-power-grid-vulnerabilities-a-13157

[7] https://ero-insider.com/senate-cybersecurity-funding-3131/