It looks like think tank organizations and NGOs have been the victim of a massive spear phishing attack.
Lipman chair of emerging technologies at the Council on Foreign Relations, Adam Segal, tweeted: “Think tanks being targeted by APT29/COZY today, spearphishing emails claiming to be about election.”
APT 29—also called Cozy Bear—is a hacking group that experts believe is connected to the Russian government. You may be more familiar with this group as the team who had also recently taken part of the hack on the Democratic National Committee.
These recent attacks also appear to be echoes of previous attacks over the last few years. This trend has been attacking think tanks as well as universities and NGOs (including the Eurasia Group, the Council on Foreign Relations, the International Institute for Strategic Studies, and Transparency International).
Security firm Volexity writes, in a report of the attacks, “These e-mails came from a mix of attacker created Google Gmail accounts and what appears to be compromised e-mail accounts at Harvard’s Faculty of Arts and Sciences (FAS).”
Volexity continues: “These e-mails were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies.”
The attack hit Harvard faculty as well as emails posed as messages sent from the Clinton Foundation. Each email appeared to contain what looks like research about the election and used click-bait titles like “Why American Elections are Flawed” and “The ‘Shocking’ Truth About Election Rigging.”
The attack works by installing a backdoor into the system of anyone who downloads and opens a file delivered in the faulty emails. This is a system known as PowerDuke, and Cozy Bear has used it in the past.
The Volexity report goes on to say, “Volexity believes that the Dukes are likely working to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future.”
In addition, Volexity founder Steven Adair notes, “This represented a fairly significant shift in the group’s previous operations and one that continued in the lead-up to and immediately after the 2016 United States Presidential election.”
Adair goes on to say, “The Dukes continue to launch well-crafted and clever attack campaigns. They have had tremendous success evading anti-virus and anti-malware solutions at both the desktop and mail gateway levels.”