CozyDuke APT group believed to have targeted White House and State Department
Nearly six months after the State Department announced an attack on its unclassified email system, the likely attackers have been identified and their tactics detailed.
Nearly six months after the State Department announced an attack on its unclassified email system, the likely attackers have been identified.
CozyDuke, as Kaspersky Lab refers to the Advanced Persistent Threat (APT) group, apparently targeted both the White House and the State Department in 2014, along with other government organizations and commercial entities in the U.S., Germany, South Korea and Uzbekistan, according to a blog post on the group. This isn't the first time researchers suspect the group has been active. Kaspersky believes at least some of the members of MiniDuke and CosmicDuke are involved.
This time around, the group is taking a simpler approach while remaining effective, said Kurt Baumgartner, principal security researcher, GReAT at Kaspersky Labs, in an interview with SCMagazine.com. For instance, they're using the standard Windows API and phasing out custom features used in prior campaigns.
“They're simplifying what they do,” Baumgartner said. “And it looks like they're getting better at evading defenses in place.”
During its most recent campaign, CozyDuke began its attacks with a spear-phishing email that contained a link to a hacked website. In other instances, it sent out a Flash video with potential to go viral throughout an office environment. If a target opened the video zip file, not only did the video play, but a dropper with anti-detection techniques ran. It scanned for multiple security products and then proceeded to drop further malware files.
Of note, said Baumgartner, is that certain dropped files have overlapping functions. This, he said, could suggest that multiple organization members worked on these components separately and stitched them together into an attack.
The attackers also use Command and Control (C&C) servers to send commands to infected machines. In prior attacks, the group used Twitter for its control servers, but now primarily relies on compromised servers, Baumgartner said.
CozyDuke succeeds because of its persistence and its initial spear-phishing email efforts. With this in mind, Baumgartner stressed the need to keep staff trained on suspicious emails.