Russian Hackers Have New Phishing Tricks

A major question hanging over the United States midterm election season: Where was Russia? But while hackers didn’t directly interfere, they appear to be as active as ever. 

New research from two threat intelligence firms indicates that two prominent Russia-linked groups have been developing some clever phishing innovations, and are working purposefully to expand their reach.

"There’s a lot of ramping up from this particular nation state in general," says Jen Miller-Osborn, deputy director of threat intelligence in Palo Alto Networks' Unit 42 research team.

The prolific hacking group APT 28, also known as Fancy Bear or Sofacy, which memorably hacked the Democratic National Committee in 2016, has a new phishing tool in its arsenal, according to findings from security firm Palo Alto Networks. 

The Trojan, concealed in a malicious document attachment, uses some classic techniques to send information about a target system back to a remote server, but the tool has been reworked for current use.

APT 28 is known for constantly evolving its tools, and drawing on methods that have fallen out of fashion to create something new that flies under the radar. Its newly minted "Cannon" Trojan, which Palo Alto spotted during attacks in late October and early November, does both. 

The malware communicates with its command and control server via emails sent over an encrypted connection, so they can't be read on the way. Hackers use all sorts of communication schemes for command and control, including hiding communications in a victim's regular network traffic, piggybacking on compromised web services, or manipulating normal internet protocol requests. 

Using email for this communication is a technique that was widely popular several years ago, but had largely faded until its reappearance here.

"Actors shifted away likely because the technique got more well known," Miller-Osborn says. "It fits in with Sofacy's constant retooling. It's not uncommon to see them come out with a new variant or a totally new malware family."

Palo Alto Networks researchers have only found one sample of the special Cannon-laced malicious document so far, but it was part of a broader APT 28 phishing campaign they observed that focused on government targets in North America, Europe, and a former USSR state that the company declined to name.

Meanwhile, investigators at FireEye observed an extensive phishing campaign launched last week that appears to come from APT 29 hackers, also called Cozy Bear. The group participated in the DNC and other hacks during the 2016 US presidential election, and went on to other international government hacking after that, but has seemed to be dormant since sometime in 2017.

Partly because of that long stretch of inactivity, it's difficult to tell for sure that it’s the same group reemerging now. But after digging into the wave of attacks, FireEye says it is probable that Cozy Bear is behind it.

“It’s been so long since we’ve seen them that this caught me by surprise,” says Matthew Dunwoody, a principal security researcher at FireEye, who had previously on eight APT 29 remediation’s as a threat responder. 

“This is a group that historically has been very innovative in the way they’ve gone about things. Some other groups try to be very low and slow about how they launch an attack. But sometimes being very noisy and using that as cover for your more discreet activities can work as well, especially if you’re Russia and you’re not as worried necessarily about the repercussions.”

APT 29 has used this boisterous style to go after a number of international targets in recent weeks, including think tanks, media outlets, transportation, pharmaceutical groups, law enforcement agencies, defense contractors, and US military groups. 

The attackers are focused on many victims, both groups and individual people, that they have targeted in the past, and the phishes in this campaign are tailored to individuals, rather than reaching out randomly to people within an organisation.

The phishing messages are designed to appear to come from the US State Department, though FireEye emphasises that the there’s no evidence of compromised State Department accounts. The messages contain malicious links that initiate the download of a Windows backdoor, the popular defense tool turned malware called Cobalt Strike that is abused by numerous different hacking groups. 

Dunwoody says that APT 29 traditionally relies on custom malware, but could be moving to off-the-shelf exploits as part of a larger criminal trend toward using more generic tools that are already available.

“They definitely prepared this carefully and took their time, and it does seem as though they are hand-picking targets,” Dunwoody says. “A lot of attackers will go after the person they think is most likely to click a link, whereas APT 29 has a history of going after specific individuals to increase the odds of actually getting the data they’re looking for.”

It’s possible that the similarities between the phishing campaign FireEye observed and the past movements of APT 29 are false flags, planted to make the activity seem like Russian state-sponsored hacking when it’s really something else. But Dunwoody says FireEye wanted to publish its evidence so other researchers can weigh in on the attribution to APT 29.

Taken together, the two reports suggest that despite recent US efforts to tamp down Russian hacking activity in the wake of the 2016 election, including indictment related to their activities, and telling individual hackers to knock it off, have not entirely deterred the GRU.

“We’re seeing APT 28 continuing to do their phishing,” Dunwoody says. “That shouldn’t surprise anyone.”

Wired:

You Might Also Read:

Russian Hackers Have Neww Weapons:

Russia Stands Accused Of Global Hacking Campaign

« Faster Blockchain For Financial Institutions
Maritime Cybersecurity Takes A Big Step Forward »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Paladion

Paladion

Paladion is a provider of managed IT security services.

Second Nature Security (2NS)

Second Nature Security (2NS)

2NS provide vulnerability assessment, penetration testing, security audit, application and network security and secure software development processes.

Korea Information Security Industry Association (KISIA)

Korea Information Security Industry Association (KISIA)

KISIA is a non-profit organization for the information security industry in Korea.

Bugcrowd

Bugcrowd

As leaders in crowdsourced security testing, Bugcrowd connects companies and their applications to a crowd of tens of thousands of security researchers to identify critical software vulnerabilities.

ATIS Systems

ATIS Systems

ATIS Systems offers first-class complete solutions for legal interception, mediation, data retention, and IT forensics.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

Adlumin

Adlumin

Adlumin Inc. provides the enterprise-grade security operations platform and managed detection and response services that keep mid-market organizations secure.

ThreatReady Resources

ThreatReady Resources

ThreatReady reduces an organization’s risk by delivering cyber security awareness training based on the latest, state-of-the-art learning science to effectively drive long-term cyber-safe behavior.

Kape Technologies

Kape Technologies

Kape Technologies is a cybersecurity company focused on helping consumers around the world have a better digital experience with greater privacy and protection.

Emerge Digital

Emerge Digital

Emerge Digital is a technology and digital innovation business and Managed Services Provider providing solutions to SMEs.

Pistachio

Pistachio

Pistachio is the new evolution of cybersecurity awareness training and attack simulations.

Silverse

Silverse

At Silverse, we specialize in building a comprehensive cybersecurity journey, anchored by our extensive experience, industry expertise, and an ecosystem of trusted partners.

Diversified Technical Services Inc. (DTSI)

Diversified Technical Services Inc. (DTSI)

DTSI provides a wide range of technology solutions for Federal Agencies, the Department of Defense, and commerical organizations with capabilities including Cyber Security and DevSecOps.

AuditBoard

AuditBoard

AuditBoard is the leading cloud-based platform transforming audit, risk, ESG, and InfoSec management.

VAST Data

VAST Data

The VAST Data Platform delivers scalable performance, radically simple data management and enhanced productivity for the AI-powered world.

Trium Cyber

Trium Cyber

Trium Cyber - Expert Cyber Underwriting and Claims Management. Based in the US and UK. Backed by Lloyd’s of London.