The Russian hacking group known as APT28 or Fancy Bear crafted a phishing campaign designed specifically to target attendees of a security conference in the US, according to researchers.
Delegates planning to attend Washington DC-based Cyber Conflict US, or CyCon received an email in early October with an attachment titled "Conference_on_Cyber_Conflict.doc". The file had been lifted from the conference's website and infected with reconnaissance malware known as "Seduploader", according to researchers from Cisco Talos.
The theme of the conference, a collaborative effort between the Army Cyber Institute at the US Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence, is ‘The Future of Cyber Conflict'.
Chris Doman, security researcher, AlienVault, said: “Fancy Bear have been attacking NATO pretty much continuously since at least 2007. Hopefully the fact we continue to see attacks means they don't currently have access to key NATO systems. Given the attackers are rumoured to be a part of Russian military intelligence, attendees of a conference on cyber-conflict run by NATO would seem to be quite logical targeting.”
Although keen to target the conference delegates, the hackers opted to save their technical budgets, eschewing a costly zero-day exploit in favour of a much cheaper malicious Visual Basic for Applications (VBA) macro.
Seduploader, a well-used dropper and a payload combo favoured by APT28 in the past was lightly tweaked, with a few modifications of public information such as MUTEX name, obfuscation keys to avoid detection.
Ian Pratt, co-founder and president at Bromium told SC Media UK: “The attack could be seen as lo-fi, but on the other hand we have seen phishing campaigns succeed time and time again because they target busy, distracted users in a clever way. In this case, the hackers prayed on trust. The conference attendees are less likely to think that a document containing event information is going to be malicious, and this particular example looked pretty convincing. You also have to consider that these people are busy in their day to day lives, just like any other phishing target, and often do not have the time to properly screen their emails. This is yet another example of user education failing.”
Although the success rate of the attacks is unknown, Cisco tracked a peak in attacks three days after the file was created on 4 October.
CyCon will take place on November 7-8, and speakers include former US National Security Agency director Keith Alexander and current commanding general of the US Army's Cyber Command, Paul Nakasone.