TA410 Targets US Energy Providers Using New FlowCloud RAT

A new wave of spear-phishing campaigns has been identified by Proofpoint researchers targeting US-based energy providers. The threat actor, tracked as TA410, also tried to pose as another hacking group, namely TA429 (APT10).

What happened

TA410 operators have been observed utilizing multiple tools as part of ongoing campaigns against US utility services providers and have evolved phishing tactics to increase the effectiveness of their campaigns.
  • The attacks took place between July and November 2019, and targeted utility providers across the U.S, by utilizing portable executable (PE) attachments and malicious macro-laden Microsoft Word documents to deliver the malicious payload. 
  • The TA410 operators used a full-fledged RAT dubbed FlowCloud to gain total control over compromised devices, as well as the capability to harvest and exfiltrate information to attacker-controlled servers.
  • These campaigns impersonated the American Society of Civil Engineers (ASCE) and spoofed the legitimate asce[.]org domain to deliver the RAT payload using a DropBox URL.

Connection with the LookBack malware

The Lookback malware and FlowCloud malware have some similarities such as preying on U.S. utility organizations, utilization of malicious macro-laden documents, and giving attackers complete control over a compromised system. These similarities link these campaigns to the same threat actor TA410.
  • In September 2019, TA410 targeted US companies in the utility sector - Global Energy Certification (GEC) exam administered by the Energy Research and Intelligence Institution.
  • In August 2019, TA410's LookBack campaigns were found targeting U.S. utility providers. The attackers updated their tactics, techniques, and procedures (TTPs) midway by switching from failed exam alerts to exam invitations.
  • In July 2019, LookBack emails impersonated U.S. entities from the utility sector - the U.S. National Council of Examiners for Engineering and Surveying (NCEES) and GEC organizations.


Stay safe

Users should enable filters on their email programs. Organizations must train employees/staff to recognize, avoid, and report suspicious emails. Users must implement, maintain, and update security technology and processes to prevent, detect, and respond to ever-evolving spear-phishing threats.