A group of Russian hackers known as CozyDuke has been identified as being responsible for a sustained cyber attack against the White House.
Researchers at Russian-based Kaspersky Lab has published its latest findings about the advanced persistent threat (APT) actor known as CozyDuke and while the security firm has stopped short of explicitly attributing blame on any one country, corroborating evidence indicates that the Russian government is behind attacks on the White House and the Department of State - something US officials had previously claimed.
When initially reported in October US officials said no sensitive information had been accessed, but in April, sources at the White House said the hackers had gained access to President Obama's schedule which, while not classified, is seen as highly prized by foreign intelligence agencies.
The group, also known as CozyBear, CozyCar or "Office Monkeys", has been linked by Kaspersky Lab to other APT groups - OnionDuke, MiniDuke and CosmicDuke - which have previously been linked to the Russian government.
In July 2014, CosmicDuke was revealed as a state-sponsored malware campaign targeting users in Ukraine as part of Russia's on-going cyber-espionage campaign. The command-and-control communication methods used by CozyDuke are similar to those used in the CosmicDuke attacks according to Kaspersky Labs.
The researchers add that parts of the CozyDuke malware has been built on the same platform as OnionDuke and MiniDuke, both of which are believed to be groups of Russian hackers operating at the behest of the Russian government.
Office Monkeys LOL
Last year it was reported that hackers had shut down the email system of the Executive Office of the President with White House officials, claiming the attack was state-sponsored and three months later the attackers were still present on the non-classified network.
Kaspersky says the group goes after "blatantly sensitive high profile victims and targets" utilising "evolving crypto and anti-detection capabilities".
The main attack vector was spear phishing campaigns some of which contain links to high profile, legitimate websites such as "diplomacy.pl" which hosted a Zip archive.
Once downloaded the extracted Zip archive contains a file which installs the malware as well as a decoy file showing an empty PDF.
Another "highly successful" attack saw the hackers send a phone flash videos attached to the phishing emails, one of which was a video called "Office Monkeys LOL Video.zip". When the victim clicks on the link the video plays, but in the background the malware is installed on the system.