- Security firm Proofpoint on Monday revealed that what appears to be a state-sponsored hacking campaign targeting the U.S. utility sector with malware dubbed "Lookback" has continued and grown more sophisticated since it was first revealed this summer.
- Proofpoint now says it has identified 17 utilities targeted from April 5 through Aug. 29, employing previously unknown techniques and with later phishing attempts using updated macros to obscure their purpose. The firm's previous report said it had identified three targeted utilities.
- Hackers have yet to cause a blackout in the United States but efforts are persistent, pushing governing bodies to update protection standards. The North American Electric Reliability Corporation (NERC) this month revealed details of a March cyber event that caused a utility in the western U.S. to temporarily lose visibility into parts of its system.
Proofpoint's Sept. 23 advisory is a reminder that hackers continue to hone their attacks, and will not stop even when identified.
"Persistent targeting of entities in the utilities sector demonstrates the continuing risk to US organizations from the actors responsible for LookBack," Proofpoint said. "The threat actors demonstrate persistence when intrusion attempts have been foiled and appear to have been undeterred by publications describing their toolset."
The phishing attempts include messages that appear to come from the U.S. National Council of Examiners for Engineering and Surveying.
The firm said its analysis now shows hackers "conducted reconnaissance" on future targets before staging attacks, which it said was "a newly identified" technique. Proofpoint also said the evolution of phishing tactics, including updated macros, "demonstrates a further departure from tactics previously employed."
One thing has remained constant, however: Proofpoint said the creators of LookBack malware have "yet to depart from their persistent focus on critical infrastructure providers in the United States."
Critical infrastructure protection (CIP) standards are a key issue for the U.S. electric sector, and violations are frequent. The Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) are considering a proposal to publicly identify violators of cybersecurity standards in the bulk electric system.
FERC says it has received a growing number of Freedom of Information Act requests for non-public information for violations of CIP standards since 2018. The two agencies issued an August white paper laying out the idea: for NERC to disclose the name of the violator, the reliability standards violated and the amount of penalties assessed.
Comments on the proposal are due to FERC by Sept. 26.
Hackers targeting critical infrastructure is now a constant threat, putting utilities "at the forefront of the new cyber battlefield," Jason Haward-Grau, chief information security officer at cybersecurity firm PAS Global, told Utility Dive.
In June, The New York Times reported the United States had increased efforts to insert malicious code into Russia's electric grid. The same week, FERC Chairman Neil Chatterjee told lawmakers critical infrastructure in the U.S., including the electric grid, is "increasingly under attack by foreign adversaries.
Some experts say it is only a matter of time before a hacker is successful in disrupting an electric utility. There is precedent: Ukraine's electric grid was hit by a cyberattack four years ago, which led to a lengthy blackout for almost 250,000 people. After that, "nation states started awakening to the significant impact [that] loss of the grid can have at a country level," said Haward-Grau.
Though it had minimal impact, the March cyberattack on a western utility was the first time that remote hackers interfered with U.S. grid networks.
According to NERC, an external entity exploited a known firewall vulnerability at one of the utility's vendors, allowing an unauthenticated attacker to cause unexpected reboots of devices. The reboots resulted in brief communications outages between field devices and the control center.