They’re baaack

A cyber-espionage campaign against numerous western targets has been blamed on a notorious Kremlin-linked group whose operations have stayed under the radar for almost two years.

APT29 (AKA ‘Cozy Bear’) has resurfaced with a phishing campaign that poses as an email message from the US Department of State. The email contains links to zip files harboring malicious Windows shortcuts set up to deliver the Cobalt Strike backdoor.

Think tanks, law enforcement, media, transportation, pharmaceutical, US military, national government, and defense contractors have all been targeted by the offensive, threat intel firm FireEye reports.

Cozy Bear, the hacking group with purported links to the Russian government, has been blamed for the assault, in part because of similarities in a previous campaign dating back two years to November 2016.

“Notable similarities between this and the 2016 campaign include the Windows shortcut metadata, targeted organizations and specific individuals, phishing email construction, and the use of compromised infrastructure,” FireEye reports.

“Notable differences include the use of Cobalt Strike, rather than custom malware; however, many espionage actors do use publicly and commercially available frameworks for reasons such as plausible deniability.”

The latest attack is far from subtle, with infosec experts including Kevin Beaumont reporting that antivirus defenses lit up like a Christmas tree when confronted with this none-too-subtle assault.

More than 20 FireEye clients across multiple industries were targeted.

Why give up the high ground?

APT29 – unlike APT28 – has been out of the news for many months, since attacks on the Dutch and Norwegian government targets in February 2017. Its reappearance after a long absence has resulted in plenty of head scratching by security experts.

Researchers at FireEye have discounted the theory the latest attack is so noisy and unsubtle it might be the work of a third party using tactics previously associated with Russia state-sponsored hackers in order to misdirect blame.

This leaves the possibilities, among others, that Russian hackers have either got beyond the point where they care about detection, or that the urgency of the current mission has relegated getting spotted as a secondary concern.

Former US government intel officer Jason Kichen writes: “It’s incredibly unlikely that 29 has been actually dormant since the fall of 2016… this sort of actor isn’t just mothballed because reasons.

“Having the freedom to collect and expertly plan, and operating entirely under the TI [threat intelligence] sector’s radar, is a good place to be. Thus, what mission objective was so important to give up that high ground and put yourself back on the radar?”

APT29 has been linked to Russian intelligence by other security researchers but there’s no unanimity or whether it’s led by either the Russian Foreign Intelligence Service (SVR) or Federal Security Service (FSB).

From Cozy Bear to Fancy Bear

In other cyber-espionage news, desk-bound tech-savvy Russian spies are allegedly running a spear-phishing campaign, using the recent Lion Air disaster as a theme, and featuring a booby-trapped Word attachment.

Government organizations in the EU, US, and former Soviet states were targeted in an attack ultimately designed to plant the Zebrocy trojan, researchers at Palo Alto Networks’ Unit 42 research arm report.

The same Sofacy (APT28) group is using a “very similar delivery document to deliver a new Trojan called Cannon”, it adds.

Cannon uses email as a conduit for command and control of infected hosts, an unusual tactic that makes life harder for network defenders.

“This is not a new tactic but may be more effective at evading detection as the external hosts involved are a legitimate email service provider,” according to a blog post by Unit 42 researchers Robert Falcone and Bryan Lee.

“Add the layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block.”

APT28 (also known as ‘Fancy Bear’) has elsewhere been identified as a unit of Russian military intelligence, GRU, a group blamed for the hack and subsequent leak of the US Democratic Party during the 2016 presidential elections, among other exploits.