Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/20/2018
08:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russia Linked Group Resurfaces With Large-Scale Phishing Campaign

APT29/Cozy Bear is targeting individuals in military, government, and other sectors via email purporting to be from US State Department.

After a nerly two-year hiatus, Russia-based threat group APT29, or Cozy Bear, is back at it, this time with a large-scale phishing campaign targeting US organizations across multiple sectors.

Researchers from security vendor FireEye say they have recently observed a phishing email purporting to be from the US Department of State being sent to individuals in the military, government, law enforcement, pharmaceutical, transportation, and other sectors.

The tactics, techniques, and procedures being used in the campaign, as well as the targeting, are similar to those used by APT29 shortly after the US general elections in November 2016.

FireEye says it is still analyzing the activity and does not have conclusive attribution yet. But there's enough overlap between the current phishing campaign and the one in 2016 to strongly suggest that APT29 is behind it. For instance, the construction of the phishing email, the network infrastructure, and the payload have all been directly linked to APT29 in the past.

"We haven't seen large-scale phishing attacks from this group in two years, but we have seen similar activity from them before," says Matthew Dunwoody, senior security architect at FireEye. Historically, APT29's motivation for such attacks has been access to specific types of geopolitical data. "The large scale of the attack suggests that they may be attempting to hide their true targets," he says.

In a report this week, FireEye described APT29/Cozy Bear's latest campaign as involving a phishing email purporting to be secure communications from a public affairs official the State Department. Links in the document lead to a zip archive containing a Windows shortcut file that is designed to drop a benign decoy document as well as Cobalt Strike Beacon — a commercial penetration-testing tool — on the compromised system.

The attackers have compromised the email server belonging to a hospital, as well as the corporate website of a consulting company, and are using them as infrastructure for the phishing campaign. The hospital email server was used to send the phishing emails while the consulting company website was used to host the zip files linked in the emails, Dunwoody says.

Significantly for victims, APT28 has a tendency to quickly switch out the first phishing implant with a very different operational malware family after initial compromise, Dunwoody says. "Efforts to find the phishing malware on other systems will come up empty, and if a defender is too eager and doesn't spend the time to fully understand the activity, they may miss the new malware and declare victory, while APT29 disappears into their network," he explains.

For reasons that FireEye has not been able to fully understand, the attackers appear to have deliberately reused phishing HTTPs that have already been definitively linked to APT29 in the past. Even the virtual machine or builder that was used to create the weaponized Windows shortcut in the current campaign is the same as the one used in 2016.

"We've considered several theories, but we don't have a definitive answer," Dunwoody says. "This was definitely deliberate and appears meant to make a splash, but the reasoning remains unclear." Possible motives include a false flag deception operation or an attempt by the attackers to sow doubt and uncertainty in the research community.

Given the widespread targeting in the latest campaign, organizations that APT29 has targeted previously should take note. But rather than getting hung up on attribution, defenders need to pay attention to the activity and how it might impact them. "The takeaway is that this attack was conducted by a skilled attacker, and it is vital to fully understand the activity," says Nick Carr, senior manager, adversary methods at FireEye. "Whether or not this activity was conducted by APT29, network defenders at targeted companies should be focusing on properly investigating the intrusion." 

APT29/Cozy Bear is one of at least two advanced persistent threat groups believed to be working on behalf of Russia's military intelligence service. The group has been operational since at least 2014 and has been associated with numerous attacks against organizations in the US and elsewhere, including one on the Democratic National Committee (DNC) website in 2016.

Fancy Bear's New Trojan
The other group believed associated with Russia's military intelligence apparatus is APT28, aka Fancy Bear or Sofacy—a group known for targeting organizations in critical infrastructure sectors, such as defense, aerospace, energy, and government.

In a report this week, Palo Alto Networks said the group has begun using a new first-stage Trojan dubbed Cannon, in addition to its usual Zebrocy Trojan, in recent attacks against government target in North America and Europe.

Cannon, like Zebrocy, is designed to download additional malware on an already compromised system. But Cannon is different from Zobrocy in that it uses a set of email accounts on legitimate email providers, rather than HTTP, for command-and-control (C2) communications, says Bryan Lee, principal researcher for Unit 42 at Palo Alto Networks.

Using a legitimate email provider as a proxy for C2 communications can make it harder for defenders to detect and stop the activity, Lee says. "Having full visibility into what applications are being allowed or accessed in the network can be extremely effective in these types of scenarios in identifying potential compromises," he says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
atawilliams
50%
50%
atawilliams,
User Rank: Apprentice
11/26/2018 | 10:35:29 AM
Indicators of Compromise
Very interesting story, have the IOC's been pulled from the analysis and if so where could they be found for defenders to utilize for defensive purposes. 
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...