Chinese Government Hackers Target U.S. Utilities by Impersonating Engineer Licensing Agency

Before speculating on why the Chinese government is targeting U.S. utilities, I will give a brief explanation of how this hack is implemented. Basically, it exploits a legitimate licensing agency, the US National Council of Examiners for Engineering and Surveying (NCEES), to penetrate utility companies. We can expect other legitimate organizations to be exploited in similar attacks in the future. Because of this, recognizing the attack template is important in undermining these future attacks when they occur.

As is true in so many attacks of this nature, this one begins with a phishing email. The email does its best to look legitimate. It does not contain the usual English errors, for example. It has the NCEES logo. A Word attachment is shown which has a context-appropriate name. Here is what the header looks like.


If you look at the sender address, you will see that it is from an nceess and not an ncees address, but, of course, this could easily be overlooked. In fact, if you were to check out the nceess address, you would be taken to a page that emulates a Microsoft site.


If you click anywhere on this spoofed page, you will see that it links to a legitimate Microsoft site.

micro web

VirusTotal found that 4 of 71 virus detection engines considered the site questionable. No browsers I tested blocked this site. The site is owned by Tomas Eriksson of New Zealand who does not exist.

The phishing email for this attack seems legitimate enough.


The big question is whether this email is designed well enough to make you open the attached Word document. It would seem that, if you have never taken such an exam, you would recognize this as a phishing email. In other words, I would expect a rather low success rate. But, in the cyber world, it only takes one curious person to bring down an entire network. This is why every company and organization needs solid endpoint protection.

If the attachment is opened it releases a RAT (remote access Trojan) which will do all the things Trojans do. Basically, your computer or device is taken over by the attackers. According to Proofpoint, the firm that first reported this attack, the malware can do the following.

rat functions.

This malware, now named LookBack, can also persist on the infected device by writing code into the registry. It also contains a kill switch.

Proofpoint does not directly mention Chinese hackers. However, it does imply, by mentioning similar attacks, that the Chinese government hacking group, APT10, may be behind it.

So why are they doing this? In the past, they were penetrating utility networks to map them and discover vulnerabilities that they could exploit, if they ever needed to. They were also looking for technology that they could steal. They did not want to be disruptive because their own economy depended too much on the success of the U.S. economy.

That attitude, however, may have changed. The Chinese may, in fact, want to disrupt the economy to gain an advantage in trade negotiations. These recent attacks may be a preliminary foray into these utility networks for the purpose of discovering what vulnerabilities or endpoints the attackers could exploit to this end. They may now want to enter and move through a network to disrupt it and other networks connected to it for nothing more than causing chaos. FireEye assesses this threat as serious.

“FireEye assesses with high confidence that the utilities industry — electric power, water, and waste treatment — is a target for cyber espionage from China-based advanced persistent threat (APT) groups. We believe that their infrastructure is vulnerable to destructive computer network attacks from motivated threat actors.”

Would China actually take the risky step of taking down part of the U.S. power grid? Yes, but only as a last resort. They could not risk being attacked in a similar fashion by U.S. intelligence, which is, no doubt, already in the Chinese power grid, possibly with even more devastating tools.

So for the moment, it seems that China will be content to just gather information and wait. The threat of an attack from China does exist, but will only be realized if they are backed into an economic corner and need to demonstrate that they hold some leverage. At this point, it is difficult to say what such an economic corner would look like. My guess would be that it would consist of a sudden loss in GNP coupled with a rise in unemployment which could lead to internal unrest. The problem for China, under such a circumstance, is that a U.S. counterattack could prove even more economically devastating.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s