Mere hours after Donald Trump was declared victorious in the wake of the US elections, Kremlin-linked hacker group Cozy Bear (APT29), reportedly launched a wave of attacks on US-based targets.
The hacker group, believed to be behind the controversial Democratic National Committee (DNC) hack, among others, has been identified as the group responsible for the "post-election attack" which targeted those who worked in organisations such as Radio Free Europe/Radio Liberty, the Rand Corporation, the Atlantic Council and the US State Department.
According to Washington-based cyber response firm Volexity, Cozy Bear hackers launched five different spear-phishing campaigns, "with a heavy focus on U.S.-based think tanks and non-governmental organizations (NGOs)".
Volexity CEO Steven Adair saidin a blog post that the group called The Dukes launched the "coordinated and well-planned" attacks less than six hours after Trump became the president-elect.
Cozy Bear used compromised Harvard and Clinton Foundation emails
The attackers sent emails from compromised Gmail accounts of those working at Harvard's Faculty of Arts and Sciences (FAS). The emails were meant to trick victims in believing them to be legitimate. One campaign sent messages posing as forwarded emails from the Clinton Foundation "giving insight and perhaps a postmortem analysis into the elections".
Two other Cozy Bear campaigns saw emails purporting to be eFax links or documents "pertaining to the election's outcome being revised or rigged", while another campaign saw emails redirecting victims to a supposed link of a PDF document stating "Why American Elections Are Flawed".
One of the targets, who worked at an NGO told Motherboard that she "almost fell for it", referring to the phishing emails she received. "Right before I opened the file, I started to think about the casual language in the email," the victim said, who asked to remain anonymous. Referring specifically to the expression "FYI" at the top of the email, she added, "That's not how academics speak. Also, why would the Clinton Foundation send out information about the election, it didn't make sense."
However, she added, "If the language had been less casual and more academic, I might have [fallen for it]!"
The hacker group's most recent attacks were found to contain Microsoft Word and/or Excel attachments, which when viewed contained "legitimate report content from each of the organizations they appeared to have been sent from", according to Volexity's CEO. However, the attachments came with pre-installed macros that included a malware dropper.
Volexity dubbed this backdoor "PowerDuke". Adair noted that similar attack campaigns using PowerDuke occurred throughout October, which targeted universities and not think tanks.
Attacks not detected easily
The organisations targeted by the hacker group used various types of anti-virus protection, Adair wrote. Yet "these emails, for the most part – not 100 percent, but for the most part – went right through all these filters. They're not getting detected, they're not getting flagged," he added.
"[It] gives them a head start. Even if you are a security researcher who knows this is bad, it's not necessarily as simple as running it and having an answer a minute later. It takes a bit of analysis time. So, that gives the attackers lead time to conduct their operation, especially before they are found out."
More attacks can be expected
Adair stressed that the hacker group's focus on think tanks and NGOs "represented a fairly significant shift in the group's previous operations". The shift in focus continued in the lead up to the US presidential elections. The post-election attacks indicate that the targets may be data-rich for hackers to continue pursuing their attacks.
Adair added that the hackers are seeking to gain "long-term access" into think tanks and NGOs and "will continue to launch new attacks for the foreseeable future."