Proofpoint researchers said in a report 17 American businesses of public interest have been the target of a mysterious state hacking group. The hackers were sending Phishing emails to business employees for at least 5 months (April-August 2019).
Hackers have been trying to influence employees' systems with it LookBack, one trojan that offers remote access and has many features.
Proofpoint's report is a continuation of one a report he had published in early August. Investigators then reported the attacks on three US utilities, which had been between 19 and 25 July 2019.
According to current data, Proofpoint states that the first attacks were more widespread than initially thought. The hackers increased their attacks and eventually targeted 17 businesses. In addition, there are suspicions that the attacks had started earlier than April.
Most government hacking teams tend to back down when companies security discover and make public their action.
However, according to a senior Proofpoint executive, this group did not fall into the fray and continued its attacks even after Proofpoint's first report in early August.
In fact, the hackers not only did not get killed but also developed new methods of attack in the meantime.
Attacks on energy companies
Based on the emails sent, the researchers conclude that hackers mainly targeted businesses in the energy field, such as power plants, nuclear power plants, wind farms and more.
The head of Proofpoint's research said the spear-Phishing The attacks did not affect a specific energy sector, but various utilities.
The hackers were representing employees of organizations working with businesses so they would not be suspected.
If the victims opened the malicious documents, then the embedded VBA script downloaded and installed the LookBack malware.
Researchers have noticed that the new malware has many features that give the attacker a backdoor on the victim's computer.
Its potential is many. It monitors the system and files, deletes it archives, executes commands, downloads screenshots, moves and clicks with the mouse, restarts the computer and self-deletes it from the infected computer.
Proofpoint has managed to block spear-phishing attacks on its client networks. However, hackers may have been able to attack other businesses with LookBack malware.
Researchers found that before sending phishing emails, hackers scanned it network for detecting open SMB protocols (445 port).
These scans were made about two weeks before phishing emails to business employees and allowed hackers to detect vulnerabilities. systems.
Proofpoint did not say which utilities were the victims of the attack, as it said investigations were continuing.