Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/20/2018
08:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russia Linked Group Resurfaces With Large-Scale Phishing Campaign

APT29/Cozy Bear is targeting individuals in military, government, and other sectors via email purporting to be from US State Department.

After a nerly two-year hiatus, Russia-based threat group APT29, or Cozy Bear, is back at it, this time with a large-scale phishing campaign targeting US organizations across multiple sectors.

Researchers from security vendor FireEye say they have recently observed a phishing email purporting to be from the US Department of State being sent to individuals in the military, government, law enforcement, pharmaceutical, transportation, and other sectors.

The tactics, techniques, and procedures being used in the campaign, as well as the targeting, are similar to those used by APT29 shortly after the US general elections in November 2016.

FireEye says it is still analyzing the activity and does not have conclusive attribution yet. But there's enough overlap between the current phishing campaign and the one in 2016 to strongly suggest that APT29 is behind it. For instance, the construction of the phishing email, the network infrastructure, and the payload have all been directly linked to APT29 in the past.

"We haven't seen large-scale phishing attacks from this group in two years, but we have seen similar activity from them before," says Matthew Dunwoody, senior security architect at FireEye. Historically, APT29's motivation for such attacks has been access to specific types of geopolitical data. "The large scale of the attack suggests that they may be attempting to hide their true targets," he says.

In a report this week, FireEye described APT29/Cozy Bear's latest campaign as involving a phishing email purporting to be secure communications from a public affairs official the State Department. Links in the document lead to a zip archive containing a Windows shortcut file that is designed to drop a benign decoy document as well as Cobalt Strike Beacon — a commercial penetration-testing tool — on the compromised system.

The attackers have compromised the email server belonging to a hospital, as well as the corporate website of a consulting company, and are using them as infrastructure for the phishing campaign. The hospital email server was used to send the phishing emails while the consulting company website was used to host the zip files linked in the emails, Dunwoody says.

Significantly for victims, APT28 has a tendency to quickly switch out the first phishing implant with a very different operational malware family after initial compromise, Dunwoody says. "Efforts to find the phishing malware on other systems will come up empty, and if a defender is too eager and doesn't spend the time to fully understand the activity, they may miss the new malware and declare victory, while APT29 disappears into their network," he explains.

For reasons that FireEye has not been able to fully understand, the attackers appear to have deliberately reused phishing HTTPs that have already been definitively linked to APT29 in the past. Even the virtual machine or builder that was used to create the weaponized Windows shortcut in the current campaign is the same as the one used in 2016.

"We've considered several theories, but we don't have a definitive answer," Dunwoody says. "This was definitely deliberate and appears meant to make a splash, but the reasoning remains unclear." Possible motives include a false flag deception operation or an attempt by the attackers to sow doubt and uncertainty in the research community.

Given the widespread targeting in the latest campaign, organizations that APT29 has targeted previously should take note. But rather than getting hung up on attribution, defenders need to pay attention to the activity and how it might impact them. "The takeaway is that this attack was conducted by a skilled attacker, and it is vital to fully understand the activity," says Nick Carr, senior manager, adversary methods at FireEye. "Whether or not this activity was conducted by APT29, network defenders at targeted companies should be focusing on properly investigating the intrusion." 

APT29/Cozy Bear is one of at least two advanced persistent threat groups believed to be working on behalf of Russia's military intelligence service. The group has been operational since at least 2014 and has been associated with numerous attacks against organizations in the US and elsewhere, including one on the Democratic National Committee (DNC) website in 2016.

Fancy Bear's New Trojan
The other group believed associated with Russia's military intelligence apparatus is APT28, aka Fancy Bear or Sofacy—a group known for targeting organizations in critical infrastructure sectors, such as defense, aerospace, energy, and government.

In a report this week, Palo Alto Networks said the group has begun using a new first-stage Trojan dubbed Cannon, in addition to its usual Zebrocy Trojan, in recent attacks against government target in North America and Europe.

Cannon, like Zebrocy, is designed to download additional malware on an already compromised system. But Cannon is different from Zobrocy in that it uses a set of email accounts on legitimate email providers, rather than HTTP, for command-and-control (C2) communications, says Bryan Lee, principal researcher for Unit 42 at Palo Alto Networks.

Using a legitimate email provider as a proxy for C2 communications can make it harder for defenders to detect and stop the activity, Lee says. "Having full visibility into what applications are being allowed or accessed in the network can be extremely effective in these types of scenarios in identifying potential compromises," he says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
atawilliams
50%
50%
atawilliams,
User Rank: Apprentice
11/26/2018 | 10:35:29 AM
Indicators of Compromise
Very interesting story, have the IOC's been pulled from the analysis and if so where could they be found for defenders to utilize for defensive purposes. 
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "The truth behind Stonehenge...."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25902
PUBLISHED: 2021-03-02
Blackboard Collaborate Ultra 20.02 is affected by a cross-site scripting (XSS) vulnerability. The XSS payload will execute on the class room, which leads to stealing cookies from users who join the class.
CVE-2020-1936
PUBLISHED: 2021-03-02
A cross-site scripting issue was found in Apache Ambari Views. This was addressed in Apache Ambari 2.7.4.
CVE-2021-27904
PUBLISHED: 2021-03-02
An issue was discovered in app/Model/SharingGroupServer.php in MISP 2.4.139. In the implementation of Sharing Groups, the "all org" flag sometimes provided view access to unintended actors.
CVE-2021-27901
PUBLISHED: 2021-03-02
An issue was discovered on LG mobile devices with Android OS 11 software. They mishandle fingerprint recognition because local high beam mode (LHBM) does not function properly during bright illumination. The LG ID is LVE-SMP-210001 (March 2021).
CVE-2021-21321
PUBLISHED: 2021-03-02
fastify-reply-from is an npm package which is a fastify plugin to forward the current http request to another server. In fastify-reply-from before version 4.0.2, by crafting a specific URL, it is possible to escape the prefix of the proxied backend service. If the base url of the proxied server is &...