Russia-linked operatives allegedly are posing as U.S. State Department officials in a newly discovered phishing campaign to infiltrate government agencies, research facilities and businesses, cybersecurity specialist FireEye and other firms said.
The likely suspect is the notorious Kremlin-backed Cozy Bear, also known as APT29, and, in some circles, The Dukes or CozyDuke. It’s the same crew that broke into the Democratic National Committee’s servers and meddled with the 2016 U.S. Presidential election beginning in 2015. If it is them, they’ve woken up from a year long hibernation, raising questions about the timing of the attacks coming as they did just days after the U.S. midterm elections.
FireEye said it has identified some 20 customers in the public and private sectors, including defense, imagery, law enforcement, local government, media, military, pharmaceutical, think tanks and transportation hit by the email fraud. The ruse lures victims into downloading malicious files using toolkits and techniques previously deployed by Cozy Bear, FireEye researchers said in a blog post.
At this point, there’s no word from FireEye on how many, if any, of its customers have been compromised by the phishing expeditions.
A few days earlier, security provider CrowdStrike said it, too, had identified the same spear phishing campaign. "These messages purported to be from an official with the U.S. Department of State and contained links to a compromised legitimate website," Adam Meyers, CrowdStrike VP of Intelligence, told ZDNet. “Attribution for this activity is still in progress; however, the tactics, techniques, and procedures (TTPs) and targeting are consistent with previously identified campaigns from the Russia-based actor Cozy Bear," Meyers said.
A curious twist to the cyber offensive is Cozy Bear’s suspicious recycling of old TTPs, FireEye said. “APT29 is a sophisticated actor, and while sophisticated actors are not infallible, seemingly blatant mistakes are cause for pause when considering historical uses of deception by Russian intelligence services,” the FireEye analysts said.
Here are some more details, via FireEye:
- The attacker appears to have compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails.
- The phishing emails were made to look like secure communication from a public affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy.
- This information could be obtained via publicly available data, and there is no indication that the Department of State network was involved in this campaign.
- The attacker used unique links in each phishing email and the links that FireEye observed were used to download a ZIP archive that contained a weaponized Windows shortcut file, launching both a benign decoy document and a Cobalt Strike Beacon backdoor, customized by the attacker to blend in with legitimate network traffic.
“Several elements from this campaign – including the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted – are directly linked to the last observed APT29 phishing campaign from November 2016,” FireEye wrote in the blog post.
FireEye said it is still analyzing the activity, an indication that it’s not yet fully comfortable with conclusively pointing at Cozy Bear as the culprit. Along those lines, the security provider cautioned security pros to be on the alert. “Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity,” FireEye said. “For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.”