In a targeted campaign directed at multiple organizations across law enforcement, media, pharmaceutical and other public sectors, hackers with alleged ties to the Russian government have been trying to infiltrate US government computers and networks, according to a new report published by FireEye.
Malicious phishing activity believed to be conducted by the advanced persistent threat (APT) hacking group APT29, also known as Cozy Bear, was detected on November 14, 2018. According to the FireEye report, “The attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts that delivered Cobalt Strike Beacon.”
Attackers reportedly compromised the email server of a hospital and a consulting company’s corporate website in order to distribute phishing emails. “The phishing emails were made to look like secure communication from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy,” FireEye said.
Impersonating an official from the US Department of Public Affairs, attackers distributed the phishing emails, which dropped a publicly available form from the US Department of State using a Cobalt Strike Beacon. The majority of targeted victims reported having received fewer than three emails, though the report noted that one target received 136 emails.
The activity is still being analyzed, and while FireEye has identified key similarities in tactics that correlate with past Cozy Bear activity, “the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file.”
Brandon Levene, head of applied intelligence at Chronicle, confirmed that the TTPs used in this case are identical – down to the metadata – to those attributed to APT29 in 2016. “It’s odd that the exact same techniques were reused given that they have nation-state resources to develop malware,” Levene said.
“If the reports that media is a target are true, it would be interesting and could show that attackers are attempting to observe and manipulate news cycles. For instance, attackers would have advance notice of news stories and could prepare social media posts to go out when the news hits that could discredit the news or otherwise manipulate it.”
FireEye also noted that if evidence supports the suspicion that the activity is coming from Cozy Bear, this will be the first uncovered activity of the group in at least a year. “The attackers will likely remain active and come back with more sophisticated intrusion attempts since this campaign was quickly discovered. They’re going to be forced back to the drawing board,” said Levene.