Recently detected spear phishing activity suggests that the Russian APT group Cozy Bear may have emerged from its hibernation and become officially operative once more.
Last last week, respected cybersecurity firms CrowdStrike and FireEye both issued warnings referencing a widespread phishing campaign targeting multiple industry sectors, while implementing the tactics, techniques and procedures of Cozy Bear, aka APT29.
Believed to be associated with Russian intelligence, Cozy Bear is considered responsible for hacking the Democratic National Committee (along with fellow Russian APT group Fancy Bear) prior to the 2016 U.S. elections. More recently, the threat actor has been blamed for campaigns targeting Norwegian and Dutch ministries and U.S.-based think tanks and NGOs, but it had seemingly remained quiet in 2018.
In an email sent to SCMedia, CrowdStrike’s Vice President of Intelligence Adam Meyers commented that his firm detected the campaign on Nov. 14. The phishing emails, said Meyers, “purported to be from an official with the U.S. Department of State and contained links to a compromised legitimate website.
Days later, a Nov. 19 blog post from FireEye would elaborate that the attackers “compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails.”
FireEye said the malicious links included in the emails led to zip files containing a malicious Windows shortcut file, Malware.Binary.lnk, which acts as a dropper delivering the main payload, Suspicious.Backdoor.BEACON — better known as the Cobalt Strike Beacon backdoor. (FireEye originally reported the campaign on Nov. 15 in a series of tweets.)
Industries reportedly targeted by the campaign included business services, defense, law enforcement, government/U.S. public sector, media, military, pharmaceutical and transportation.
CrowdStrike and FireEye agree that the operation’s TTPs look consistent with Cozy Bear. “Several elements from this campaign — including the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted — are directly linked to the last observed APT29 phishing campaign from November 2016,” the FireEye blog post explained.
An email sent on behalf of Brandon Levene, head of applied intelligence at Alphabet company’s cybersecurity subsidiary Chronicle, further attested that the TTPs used in the recent campaign were “identical – down to the metadata” to those attributed to APT29 two years earlier.
Levene said the use of Cobalt Strike Beacon represents a new wrinkle for Cozy Bear, suggesting that use of the off-the-shelf tool could have been an attempt to avoid attribution. But so much else overlaps with APT29 that it’s not enough to throw researchers off the scent, he added.
“It’s odd that the exact same techniques were re-used given that they have nation-state resources to develop malware and helped lead to their identification,” Levene said in the email.
Indeed, both FireEye and CrowdStrike stressed that attribution efforts remain ongoing in an attempt to further confirm Cozy Bear’s involvement in this recent activity. FireEye has even acknowledged that the deliberate reuse of old TTPs seems unusually sloppy for a sophisticated Russian actor.
“It has also been over a year since we have conclusively identified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long interlude,” the blog post states, raising the question of whether certain clues could be false flags.