Russia’s Cozy Bear comes out of hiding with post-election spear-phishing blitz

/in
Russian President Vladmir Putin in St. Petersburg today for the St. Petersburg International Economic Forum, acknowledged today that Russian hackers may have interfered in the US election.

Enlarge / Russian President Vladmir Putin in St. Petersburg today for the St. Petersburg International Economic Forum, acknowledged today that Russian hackers may have interfered in the US election. (credit: Mikhail Svetlov/Getty Images)

Attackers suspected of working for the Russian government masqueraded as a US State Department official in an attempt to infect dozens of organizations in government, military, defense contracting, media, and other industries, researchers from security firm FireEye warned on Monday.

The spear-phishing campaign began last Wednesday. This is almost exactly two years after the Russian hacking group known under a variety of monikers, including APT29 and Cozy Bear, sent a similar barrage of emails that targeted many of the same industries, FireEye said in a blog post. The tactics and techniques used in both post-election campaigns largely overlap, leading FireEye to suspect the new one is also the work of the Russian-government-controlled hacking arm. FireEye researchers Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, and Nick Carr wrote:

Analysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year. Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity. For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.

“Secure” communications

At least 38 FireEye clients have been targeted so far in the spear-phishing campaign, Carr told Ars. The emails purport to deliver an official US State Department from a known public-affairs official at the same US agency. The messages were designed to appear as a secure communication that’s hosted on a webpage linked to the official’s personal drive. To further appear legitimate, the message delivers a legitimate State Department form.

Read 9 remaining paragraphs | Comments

Biz & IT – Ars Technica