A phishing campaign against U.S. utilities points to nation-state actors, a new report says.

The phishing emails fraudulently impersonated a licensing body in the utility sector, according to the report from cybersecurity firm Proofpoint. Phishing involves sending malware-infected email that appears to be coming from a trustworthy entity in order to steal sensitive information.

“The profile of this campaign is indicative of specific risk to US-based entities in the utilities sector,” the report states.


The big question, though, is who exactly is behind the attack.

Proofpoint believes this may be the work of a state-sponsored APT actor based on overlaps with historic campaigns and macros utilized; however, their analysts did not observe additional code overlap or infrastructure reuse that would cement attribution to a known APT group.

“They’re using a technique that’s been used by Chinese state actors in the past, but enough about these attacks is different that we cannot attribute them to an actor with confidence,” Ryan Kalember, executive vice president of Cybersecurity Strategy at Proofpoint, told Fox News in an email.

The report added, however, that the “risk that these campaigns pose to utilities providers is clear…Persistent targeting of any entity that provides critical infrastructure should be considered an acute risk with a potential impact beyond the immediate targets.”

“There’s not enough data to tell if it was a test, a signal, or regular reconnaissance. [It] might have been all three,” James Lewis, Senior Vice President and Director, Technology Policy Program at the Center for Strategic and International Studies, told Fox News.

The scary thing about these phishing attacks is they were very credible and thus believable – which differs from more run-of-the-mill phishing attacks that are riddled with language and grammatical errors. “These were excellent spear phishing attacks, credibly impersonating an industry licensing association and targeted at people in a role where that license would be essential to their work,” Proofpoint’s Kalember said.

The US National Council of Examiners for Engineering and Surveying (NCEES) is the organization impersonated by the phishing campaign, according to the report.

Emails delivered on July 19 and July 25 pretended to be a “failed examination result” from the NCEES and fraudulently utilized the NCEES logo, Proofpoint said.

Kalember added that though the attacks were successfully thwarted, that only covers their clients. “We blocked all of the ones that targeted our customers, but cannot say definitively whether other organizations were successfully compromised,” he said.