Cozy Bear tracks: Phishing campaign looks like work of Russian APT group

News by Bradley Barth

Recently detected spear phishing activity suggests that the Russian APT group Cozy Bear may have emerged from its hibernation and become actively operative once more.

Recently detected spear phishing activity suggests that the Russian APT group Cozy Bear may have emerged from its hibernation and become actively operative once more.

Last last week, respected cyber-security firms CrowdStrike and FireEye both issued warnings referencing a widespread phishing campaign targeting multiple industry sectors, while implementing the tactics, techniques and procedures of Cozy Bear, aka APT29.

Believed to be associated with Russian intelligence, Cozy Bear is considered responsible for hacking the Democratic National Committee (along with fellow Russian APT group Fancy Bear) prior to the 2016 US elections. More recently, the threat actor has been blamed for campaigns targeting Norwegian and Dutch ministries and US-based think tanks and NGOs, but it had seemingly remained relatively quiet in 2018.

In an email sent to SCMedia, CrowdStrike’s Vice President of Intelligence Adam Meyers commented that his firm detected the campaign on 14 November. The phishing emails, said Meyers, "purported to be from an official with the US Department of State and contained links to a compromised legitimate website. Individuals receiving the emails worked at organisations in a range of sectors, including in think tank [organisations], law enforcement, government, and business information services." Meyers did not elaborate on the website that was compromised.

Meyers stated that the TTPs of the attack looked consistent with Cozy Bear – a sentiment echoed by FireEye, which on 15 November posted multiple tweets describing an apparent APT29 spear phishing operation. One tweet described the attacker’s methodology as suspicious PowerShell usage, while another identified the presence of two software tools, Malware.Binary.lnk and Suspicious.Backdoor.BEACON.

"This campaign has targeted over 20 FireEye customers across: Defense, Imagery, Law Enforcement, Local Government, Media, Military, Pharmaceutical, Think Tank, Transportation, & US Public Sector industries in multiple geographic regions," the tweet stated.

An email sent on behalf of Brandon Levene, head of applied intelligence at Alphabet company’s cyber-security subsidiary Chronicle, further attested that the TTPs used in the recent campaign were "identical – down to the metadata" to those attributed to APT29 back in 2016.

According to Levene, the aforementioned Malware.Binary.lnk file is a malicious dropper file placed inside of a zip archive that victims download from a compromised website. Its payload is the Beacon backdoor, an off-the-shelf tool that reports back to the attackers’ C2 infrastructure. Levene said that he use of Beacon represents a new wrinkle for Cozy Bear. Yet so much else overlaps with APT29 that it’s not enough to throw researchers off the scent.

"It’s odd that the exact same techniques were re-used given that they have nation-state resources to develop malware and helped lead to their identification," Levene said in the email.

Both FireEye and CrowdStrike stressed that attribution efforts remain ongoing in an attempt to further confirm Cozy Bear’s involvement in this recent activity.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews