Attacks/Breaches

11/20/2018
08:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russia Linked Group Resurfaces With Large-Scale Phishing Campaign

APT29/Cozy Bear is targeting individuals in military, government, and other sectors via email purporting to be from US State Department.

After a nerly two-year hiatus, Russia-based threat group APT29, or Cozy Bear, is back at it, this time with a large-scale phishing campaign targeting US organizations across multiple sectors.

Researchers from security vendor FireEye say they have recently observed a phishing email purporting to be from the US Department of State being sent to individuals in the military, government, law enforcement, pharmaceutical, transportation, and other sectors.

The tactics, techniques, and procedures being used in the campaign, as well as the targeting, are similar to those used by APT29 shortly after the US general elections in November 2016.

FireEye says it is still analyzing the activity and does not have conclusive attribution yet. But there's enough overlap between the current phishing campaign and the one in 2016 to strongly suggest that APT29 is behind it. For instance, the construction of the phishing email, the network infrastructure, and the payload have all been directly linked to APT29 in the past.

"We haven't seen large-scale phishing attacks from this group in two years, but we have seen similar activity from them before," says Matthew Dunwoody, senior security architect at FireEye. Historically, APT29's motivation for such attacks has been access to specific types of geopolitical data. "The large scale of the attack suggests that they may be attempting to hide their true targets," he says.

In a report this week, FireEye described APT29/Cozy Bear's latest campaign as involving a phishing email purporting to be secure communications from a public affairs official the State Department. Links in the document lead to a zip archive containing a Windows shortcut file that is designed to drop a benign decoy document as well as Cobalt Strike Beacon — a commercial penetration-testing tool — on the compromised system.

The attackers have compromised the email server belonging to a hospital, as well as the corporate website of a consulting company, and are using them as infrastructure for the phishing campaign. The hospital email server was used to send the phishing emails while the consulting company website was used to host the zip files linked in the emails, Dunwoody says.

Significantly for victims, APT28 has a tendency to quickly switch out the first phishing implant with a very different operational malware family after initial compromise, Dunwoody says. "Efforts to find the phishing malware on other systems will come up empty, and if a defender is too eager and doesn't spend the time to fully understand the activity, they may miss the new malware and declare victory, while APT29 disappears into their network," he explains.

For reasons that FireEye has not been able to fully understand, the attackers appear to have deliberately reused phishing HTTPs that have already been definitively linked to APT29 in the past. Even the virtual machine or builder that was used to create the weaponized Windows shortcut in the current campaign is the same as the one used in 2016.

"We've considered several theories, but we don't have a definitive answer," Dunwoody says. "This was definitely deliberate and appears meant to make a splash, but the reasoning remains unclear." Possible motives include a false flag deception operation or an attempt by the attackers to sow doubt and uncertainty in the research community.

Given the widespread targeting in the latest campaign, organizations that APT29 has targeted previously should take note. But rather than getting hung up on attribution, defenders need to pay attention to the activity and how it might impact them. "The takeaway is that this attack was conducted by a skilled attacker, and it is vital to fully understand the activity," says Nick Carr, senior manager, adversary methods at FireEye. "Whether or not this activity was conducted by APT29, network defenders at targeted companies should be focusing on properly investigating the intrusion." 

APT29/Cozy Bear is one of at least two advanced persistent threat groups believed to be working on behalf of Russia's military intelligence service. The group has been operational since at least 2014 and has been associated with numerous attacks against organizations in the US and elsewhere, including one on the Democratic National Committee (DNC) website in 2016.

Fancy Bear's New Trojan
The other group believed associated with Russia's military intelligence apparatus is APT28, aka Fancy Bear or Sofacy—a group known for targeting organizations in critical infrastructure sectors, such as defense, aerospace, energy, and government.

In a report this week, Palo Alto Networks said the group has begun using a new first-stage Trojan dubbed Cannon, in addition to its usual Zebrocy Trojan, in recent attacks against government target in North America and Europe.

Cannon, like Zebrocy, is designed to download additional malware on an already compromised system. But Cannon is different from Zobrocy in that it uses a set of email accounts on legitimate email providers, rather than HTTP, for command-and-control (C2) communications, says Bryan Lee, principal researcher for Unit 42 at Palo Alto Networks.

Using a legitimate email provider as a proxy for C2 communications can make it harder for defenders to detect and stop the activity, Lee says. "Having full visibility into what applications are being allowed or accessed in the network can be extremely effective in these types of scenarios in identifying potential compromises," he says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
atawilliams
50%
50%
atawilliams,
User Rank: Apprentice
11/26/2018 | 10:35:29 AM
Indicators of Compromise
Very interesting story, have the IOC's been pulled from the analysis and if so where could they be found for defenders to utilize for defensive purposes. 
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
[Sponsored Content] The State of Encryption and How to Improve It
[Sponsored Content] The State of Encryption and How to Improve It
Encryption and access controls are considered to be the ultimate safeguards to ensure the security and confidentiality of data, which is why they're mandated in so many compliance and regulatory standards. While the cybersecurity market boasts a wide variety of encryption technologies, many data breaches reveal that sensitive and personal data has often been left unencrypted and, therefore, vulnerable.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19790
PUBLISHED: 2018-12-18
An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restricti...
CVE-2018-19829
PUBLISHED: 2018-12-18
Artica Integria IMS 5.0.83 has CSRF in godmode/usuarios/lista_usuarios, resulting in the ability to delete an arbitrary user when the ID number is known.
CVE-2018-16884
PUBLISHED: 2018-12-18
A flaw was found in the Linux kernel in the NFS41+ subsystem. NFS41+ shares mounted in different network namespaces at the same time can make bc_svc_process() use wrong back-channel id and cause a use-after-free. Thus a malicious container user can cause a host kernel memory corruption and a system ...
CVE-2018-17777
PUBLISHED: 2018-12-18
An issue was discovered on D-Link DVA-5592 A1_WI_20180823 devices. If the PIN of the page "/ui/cbpc/login" is the default Parental Control PIN (0000), it is possible to bypass the login form by editing the path of the cookie "sid" generated by the page. The attacker will have acc...
CVE-2018-18921
PUBLISHED: 2018-12-18
PHP Server Monitor before 3.3.2 has CSRF, as demonstrated by a Delete action.