Threat Management, Threat Intelligence

Russian malware campaign ‘PowerDuke’ rides post-election wave

Russian advanced persistent threat (APT) group Cozy Bear has reportedly been targeting U.S. think tanks and non-governmental organizations (NGOs) in the immediate aftermath of the U.S. presidential race, devising malware campaigns that capitalize on post-election controversies.

Cozy Bear, aka APT29, is already known for previously hacking the Democratic National Committee (DNC) and targeting Russia-focused think tanks in Washington D.C. According to a report from incident response and suppression service Volexity, the APT is now focusing its efforts on organizations specializing in national security, defense, international affairs, public policy and European and Asian studies.

While these organizations and their members operate outside of the government, “A lot of times these people have close ties with political [groups],” noted Steven Adair, founder and CEO of Volexity, in an interview with SC Media. And “some of these folks may have access to or be involved with future administrations.”

By infiltrating organizations with close connections to the White House, federal agencies and various political power players, the APT group, which Volexity refers to as “The Dukes,” can potentially pick up valuable foreign intelligence while opening up new pathways to launch attack campaigns against even more high-profile targets, Adair explained.

The Dukes' newest cyber offensive is aimed at infecting victims with a backdoor malware program that Volexity calls PowerDuke – designed to secretly collect information from compromised machines. The malware-laced emails are distributed via malicious Gmail accounts, as well as what appear to be compromised email accounts from Harvard University's Faculty of Arts and Sciences.

Volexity has identified five separate PowerDuke spam campaigns, designed to entice recipients into clicking on malicious links or attachments by tantalizing them with subject lines and content that suggest the election was rigged or flawed, or that its outcome could still be changed. Two of the campaigns featured emails that purportedly offered election post-mortem analyses forwarded on from the Clinton Foundation. Others appear to be secure electronic fax messages from eFax, while another looks to come from Harvard's “PDF Mobile Service.”

Some of the emails contain links to ZIP files containing a Microsoft shortcut file (.LNK) with embedded, malicious PowerShell code that drops PowerDuke; others feature attached Microsoft Word documents containing malicious macros that infect users with the backdoor. Regardless of the method of infection, the email campaigns drop decoy documents that give the communications a false air of legitimacy, while using anti-virtualization technology to avoid machines likely used by IT security personnel or researchers.

Cozy Bear also relies on steganography – the practice of concealing code within images and files – to hide its PowerDuke backdoor inside PNG files, Volexity explained in its report. These files are downloaded only in memory instead of on a machine's hard drive to increase the malware's stealth.

"The Dukes continue to launch well-crafted and clever attack campaigns…Volexity believes that The Dukes are likely working to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future,” the report concluded.

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.