Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/20/2018
08:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Russia Linked Group Resurfaces With Large-Scale Phishing Campaign

APT29/Cozy Bear is targeting individuals in military, government, and other sectors via email purporting to be from US State Department.

After a nerly two-year hiatus, Russia-based threat group APT29, or Cozy Bear, is back at it, this time with a large-scale phishing campaign targeting US organizations across multiple sectors.

Researchers from security vendor FireEye say they have recently observed a phishing email purporting to be from the US Department of State being sent to individuals in the military, government, law enforcement, pharmaceutical, transportation, and other sectors.

The tactics, techniques, and procedures being used in the campaign, as well as the targeting, are similar to those used by APT29 shortly after the US general elections in November 2016.

FireEye says it is still analyzing the activity and does not have conclusive attribution yet. But there's enough overlap between the current phishing campaign and the one in 2016 to strongly suggest that APT29 is behind it. For instance, the construction of the phishing email, the network infrastructure, and the payload have all been directly linked to APT29 in the past.

"We haven't seen large-scale phishing attacks from this group in two years, but we have seen similar activity from them before," says Matthew Dunwoody, senior security architect at FireEye. Historically, APT29's motivation for such attacks has been access to specific types of geopolitical data. "The large scale of the attack suggests that they may be attempting to hide their true targets," he says.

In a report this week, FireEye described APT29/Cozy Bear's latest campaign as involving a phishing email purporting to be secure communications from a public affairs official the State Department. Links in the document lead to a zip archive containing a Windows shortcut file that is designed to drop a benign decoy document as well as Cobalt Strike Beacon — a commercial penetration-testing tool — on the compromised system.

The attackers have compromised the email server belonging to a hospital, as well as the corporate website of a consulting company, and are using them as infrastructure for the phishing campaign. The hospital email server was used to send the phishing emails while the consulting company website was used to host the zip files linked in the emails, Dunwoody says.

Significantly for victims, APT28 has a tendency to quickly switch out the first phishing implant with a very different operational malware family after initial compromise, Dunwoody says. "Efforts to find the phishing malware on other systems will come up empty, and if a defender is too eager and doesn't spend the time to fully understand the activity, they may miss the new malware and declare victory, while APT29 disappears into their network," he explains.

For reasons that FireEye has not been able to fully understand, the attackers appear to have deliberately reused phishing HTTPs that have already been definitively linked to APT29 in the past. Even the virtual machine or builder that was used to create the weaponized Windows shortcut in the current campaign is the same as the one used in 2016.

"We've considered several theories, but we don't have a definitive answer," Dunwoody says. "This was definitely deliberate and appears meant to make a splash, but the reasoning remains unclear." Possible motives include a false flag deception operation or an attempt by the attackers to sow doubt and uncertainty in the research community.

Given the widespread targeting in the latest campaign, organizations that APT29 has targeted previously should take note. But rather than getting hung up on attribution, defenders need to pay attention to the activity and how it might impact them. "The takeaway is that this attack was conducted by a skilled attacker, and it is vital to fully understand the activity," says Nick Carr, senior manager, adversary methods at FireEye. "Whether or not this activity was conducted by APT29, network defenders at targeted companies should be focusing on properly investigating the intrusion." 

APT29/Cozy Bear is one of at least two advanced persistent threat groups believed to be working on behalf of Russia's military intelligence service. The group has been operational since at least 2014 and has been associated with numerous attacks against organizations in the US and elsewhere, including one on the Democratic National Committee (DNC) website in 2016.

Fancy Bear's New Trojan
The other group believed associated with Russia's military intelligence apparatus is APT28, aka Fancy Bear or Sofacy—a group known for targeting organizations in critical infrastructure sectors, such as defense, aerospace, energy, and government.

In a report this week, Palo Alto Networks said the group has begun using a new first-stage Trojan dubbed Cannon, in addition to its usual Zebrocy Trojan, in recent attacks against government target in North America and Europe.

Cannon, like Zebrocy, is designed to download additional malware on an already compromised system. But Cannon is different from Zobrocy in that it uses a set of email accounts on legitimate email providers, rather than HTTP, for command-and-control (C2) communications, says Bryan Lee, principal researcher for Unit 42 at Palo Alto Networks.

Using a legitimate email provider as a proxy for C2 communications can make it harder for defenders to detect and stop the activity, Lee says. "Having full visibility into what applications are being allowed or accessed in the network can be extremely effective in these types of scenarios in identifying potential compromises," he says.

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
atawilliams
50%
50%
atawilliams,
User Rank: Apprentice
11/26/2018 | 10:35:29 AM
Indicators of Compromise
Very interesting story, have the IOC's been pulled from the analysis and if so where could they be found for defenders to utilize for defensive purposes. 
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9717
PUBLISHED: 2019-09-19
In Libav 12.3, a denial of service in the subtitle decoder allows attackers to hog the CPU via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c has a complex format argument to sscanf.
CVE-2019-9719
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
CVE-2019-9720
PUBLISHED: 2019-09-19
A stack-based buffer overflow in the subtitle decoder in Libav 12.3 allows attackers to corrupt the stack via a crafted video file in Matroska format, because srt_to_ass in libavcodec/srtdec.c misuses snprintf.
CVE-2019-16525
PUBLISHED: 2019-09-19
An XSS issue was discovered in the checklist plugin before 1.1.9 for WordPress. The fill parameter is not correctly filtered in the checklist-icon.php file, and it is possible to inject JavaScript code.
CVE-2019-9619
PUBLISHED: 2019-09-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.