A phishing campaign bent on espionage, believed to be launched by the nation-state threat group known as APT29, is targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.
It’s the first large-scale campaign seen in two years from APT29, which researchers believe to be an attack group linked to Russian intelligence.
According to researchers at FireEye, the phishing emails purport to be from the U.S. Department of State with links to zip files containing malicious Windows shortcuts.
If a target clicks on a link in the phishing email, this will lead to a ZIP archive with a weaponized Windows shortcut file, hosted on a compromised legitimate domain. The shortcut file was crafted to execute a PowerShell command that downloads both a benign decoy document and the Cobalt Strike Beacon payload.
“The phishing emails were made to look like secure communication from a public affairs official at the U.S. Department of State, hosted on a page made to look like another Department of State Public Affairs official’s personal drive, and used a legitimate Department of State form as a decoy,” the researchers said in a posting on Monday.
For its part, Cobalt Strike is a commercially available exploitation framework. Beacon is a backdoor module that executes PowerShell scripts, logs keystrokes, takes screenshots, downloads files and spawns other payloads. It also has the ability to create a command-and-control (C2) profile to look like another actor or legitimate service in order to avoid tracking; in the case of this latest campaign, it’s using a modified variation of the publicly available Pandora Malleable C2 Profile with the domain pandorasong[.]com – designed to masquerade as the Pandora music streaming service.
“The attacker appears to have compromised the email server of a hospital and the corporate website of a consulting company in order to use their infrastructure to send phishing emails,” explained the researchers. “This information could be obtained via publicly available data, and there is no indication that the Department of State network was involved in this campaign.”
APT29 Comes Out of Hiding
APT29, a.k.a. Cozy Bear, CozyDuke, the Dukes or PowerDukes, is perhaps best-known for the intrusion at the Democratic National Committee ahead of the U.S. presidential election in 2016. Its last known widespread phishing campaign was post-election, in November 2016, when was implicated in attacks against the White House, State Department and Joint Chiefs of Staff.
Its history stretches back a few years; it was also seen by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.
While it was seen in November last year executing a Tor backdoor, it has been largely quiet on the spear phishing front since 2016 – so its re-emergence two years later is notable.
“If the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year,” FireEye researchers said. “[This] raises questions about the timing and the similarities of the activity after such a long interlude.”
The researchers believe that APT29 is behind the offensive because several of its unique aspects directly link to that previous phishing expedition. These include elements of the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted (previous APT29 activity targeted some of the same recipients of the new email campaign), researchers noted.
“There are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016, both of which occurred shortly after U.S. elections,” wrote the team.
This included a seemingly deliberate reuse of old phishing tactics, techniques and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file.
“The malicious LNK used in the recent spear phishing campaign has technical overlaps with a suspected APT29 LNK from November 2016,” the researchers noted. “The 2018 and 2016 LNK files are similar in structure and code, and contain significant metadata overlap, including the MAC address of the system on which the LNK was created.”
That’s not to say that there aren’t new aspects involved in the 2018 effort. Notable differences from the earlier campaign include the use of Cobalt Strike, rather than custom malware, for instance. Also, during the phishing campaign, there were indications that the site hosting the malware was selectively serving payloads.
“For example, requests using incorrect HTTP headers reportedly served ZIP archives containing only the benign publicly available Department of State form,” the FireEye team explained. “It is possible that the threat actor served additional and different payloads depending on the link visited; however, FireEye has only observed two: the benign and Cobalt Strike variations.”
Russian-backed hacking didn’t reach the levels feared during this past midterm election season. “At this time we have no indication of compromise of our nation’s election infrastructure that would prevent voting, change vote counts, or disrupt the ability to tally votes,” the FBI said in a statement on Election Day. However, the re-emergence of APT29 in such a widespread campaign (FireEye said that it spanned more than 20 organizations worldwide) does show that such sophisticated actors remain active and engaged.
“Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity,” FireEye researchers said. “For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.”