TA410 (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

TA410 (Back to overview)

Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. (Note confusion between Malware, Campaign and ThreatActor)

Associated Families

win.lookback win.unidentified_096

References

2022-09-29 ⋅ Symantec ⋅ Threat Hunter Team
Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
CHINACHOPPER Lookback MimiKatz PlugX Unidentified 096 (Keylogger) x4 Witchetty

2022-04-27 ⋅ ESET Research ⋅ Alexandre Côté Cyr, Matthieu Faou
A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity
FlowCloud Lookback Witchetty

2021-04-26 ⋅ Dragos ⋅ Dragos
New ICS Threat Activity Group: TALONITE
FlowCloud Lookback

2021-01-04 ⋅ nao_sec blog ⋅ nao_sec
Royal Road! Re:Dive
8.t Dropper Chinoxy FlowCloud FunnyDream Lookback

2020-12-24 ⋅ IronNet ⋅ Adam Hlavek
China cyber attacks: the current threat landscape
PLEAD TSCookie FlowCloud Lookback PLEAD PlugX Quasar RAT Winnti

2020-06-08 ⋅ Proofpoint ⋅ Dennis Schwarz, Georgi Mladenov, Michael Raggi, Proofpoint Threat Research Team
TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware
FlowCloud Lookback APT10 TA410

2020-01-01 ⋅ Dragos ⋅ Joe Slowik
Threat Intelligence and the Limits of Malware Analysis
Exaramel Exaramel Industroyer Lookback NjRAT PlugX

2019-09-22 ⋅ Proofpoint ⋅ Michael Raggi, Proofpoint Threat Insight Team
LookBack Forges Ahead: Continued Targeting of the United States’ Utilities Sector Reveals Additional Adversary TTPs
Lookback TA410

2019-08-21 ⋅ Threatgen ⋅ Pascal Ackerman
Taking a Closer Look at the LookBack Malware Campaign – Part 1
Lookback

2019-08-01 ⋅ Proofpoint ⋅ Dennis Schwarz, Michael Raggi, Proofpoint Threat Insight Team
LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards
GUP Proxy Tool Lookback TA410

Credits: MISP Project