Hackers Pose as Engineering Licensing Org to Phish US Utilities

A state-sponsored hackers group may be trying to infiltrate US utility companies with phishing emails containing malicious Microsoft Word attachments.The phishing emails contained a Microsoft Word document that would try to install a remote access Trojan on the victim’s computer, according to the security firm Proofpoint. At least three US companies in the utilities sector were targeted.

The security firm Proofpoint obtained samples of the emails, which pretended to come from the US National Council of Examiners for Engineering and Surveying (NCEES). Although the emails look legit at first glance, they were actually sent from a hackers controlled domain at “nceess.com,” instead of the official “ncees.org” site.

The phishing emails contained a Microsoft Word document that once opened used macros, or a series of automated commands, to install and run a piece of malware hidden within the Word file. “We believe this may be the work of a state-sponsored APT (advanced persistent threat) actor based on overlaps with historical campaigns and macros utilized,” ProofPoint said in the report, which was released on Thursday.

The phishing emails tried to lure recipients into opening the attachment by claiming they had failed to pass an NCEES licensing exam, and that their score was in the attached Microsoft Word document.

Proofpoint investigated the domain tied to the phishing attack, and uncovered evidence the hackers involved have also been trying to impersonate other engineering and electric licensing organizations in the US through other spoofed domains. “Among these domains, only nceess.com was observed in active phishing campaigns targeting utility companies,” the security firm added.

The phishing emails were sent between July 19 and July 25. The malware involved can act as a remote access Trojan to secretly take over a computer. The capabilities include “viewing of process, system, and file data; deleting files; executing commands; taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host,” Proofpoint said.

The security firm says the macros used in the Word documents contain similarities with other suspected state-sponsored hacking campaigns against Japanese corporations. Proofpoint refrained from identifying the three US companies targeted by the phishing scheme, but said it’s clear US critical infrastructure providers need to be on guard against potential intrusion attempts. In recent years, security firms have uncovered evidence of nation-state hackers targeting utility companies with malware that can spy, and even disrupt factories and power plants.