Russian advanced persistent threat (APT) group Cozy Bear has reportedly been targeting U.S. think tanks and non-governmental organizations (NGOs) in the immediate aftermath of the U.S. presidential race, devising malware campaigns that capitalize on post-election controversies.
Cozy Bear, aka APT29, is already known for previously hacking the Democratic National Committee (DNC) and targeting Russia-focused think tanks in Washington D.C. According to a report from incident response and suppression service Volexity, the APT is now focusing its efforts on organizations specializing in national security, defense, international affairs, public policy and European and Asian studies.
While these organizations and their members operate outside of the government, “A lot of times these people have close ties with political [groups],” noted Steven Adair, founder and CEO of Volexity, in an interview with SC Media. And “some of these folks may have access to or be involved with future administrations.”
By infiltrating organizations with close connections to the White House, federal agencies and various political power players, the APT group, which Volexity refers to as “The Dukes,” can potentially pick up valuable foreign intelligence while opening up new pathways to launch attack campaigns against even more high-profile targets, Adair explained.
The Dukes’ newest cyber offensive is aimed at infecting victims with a backdoor malware program that Volexity calls PowerDuke – designed to secretly collect information from compromised machines. The malware-laced emails are distributed via malicious Gmail accounts, as well as what appear to be compromised email accounts from Harvard University’s Faculty of Arts and Sciences.
Volexity has identified five separate PowerDuke spam campaigns, designed to entice recipients into clicking on malicious links or attachments by tantalizing them with subject lines and content that suggest the election was rigged or flawed, or that its outcome could still be changed. Two of the campaigns featured emails that purportedly offered election post-mortem analyses forwarded on from the Clinton Foundation. Others appear to be secure electronic fax messages from eFax, while another looks to come from Harvard’s “PDF Mobile Service.”
Some of the emails contain links to ZIP files containing a Microsoft shortcut file (.LNK) with embedded, malicious PowerShell code that drops PowerDuke; others feature attached Microsoft Word documents containing malicious macros that infect users with the backdoor. Regardless of the method of infection, the email campaigns drop decoy documents that give the communications a false air of legitimacy, while using anti-virtualization technology to avoid machines likely used by IT security personnel or researchers.
Cozy Bear also relies on steganography – the practice of concealing code within images and files – to hide its PowerDuke backdoor inside PNG files, Volexity explained in its report. These files are downloaded only in memory instead of on a machine’s hard drive to increase the malware’s stealth.
“The Dukes continue to launch well-crafted and clever attack campaigns…Volexity believes that The Dukes are likely working to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future,” the report concluded.