A newly-uncovered phishing campaign is targeting diplomats by presenting malicious messages as official embassy communications, and basing out of legitimate cloud-based services such as DropBox and Trello to aid in evading detection and remediation. The scheme was uncovered by security firm Mandiant, who believe that state-backed Russian hackers are behind it.
Embassies targeted by Russian hackers
The phishing campaign is just one element of a rash of recent activity by advanced persistent threat group 29 (APT 29), probably better known to the general public as “Cozy Bear.” Believed to be backed by Russian intelligence, the group conducted a similar operation in 2021 that focused on compromising diplomats via legitimate-looking Constant Contact emails.
Mandiant says that the current phishing campaign makes use of legitimate email addresses that have been previously compromised, and opens with what appears to be an administrative notice from an embassy. These are spearphishing emails targeted at particular diplomats and embassy staff, making claims about fictitious events such as embassy closures due to Covid-19.
Erich Kron, Security Awareness Advocate for KnowBe4, expands on what these types of phishing campaigns tend to look like: “For anyone involved in politics, it is critical to understand that they may be targeted due to information they have, or even just the contacts they may have. In situations like embassies, which act as sovereign soil in foreign countries, and for the diplomats within them, the information about activities occurring within the region would be a gold mine for adversaries. Because email account hijacking and data breaches are most often the result of phishing emails, people employed by the embassies and other diplomats should be trained to spot these attacks and report them to an internal security staff. In addition, Multi-Factor Authentication (MFA) should be enabled on all accounts and logins to any accounts should be closely monitored and managed.”
The phishing campaign emails promise further details in an attachment, which is of course a malicious file dropper. When opened it creates a virtual disc image on the target computer that is automatically mounted as a virtual drive and opened in Windows Explorer. The Russian hackers attempt to entice the victim into clicking on a malicious LNK shortcut that appears to lead to the further details promised in the email. A virtual mounted disc image is used as this file type is not flagged as having been downloaded from the internet, which prevents the usual automated Windows warning message from popping up before the malicious shortcut file is run.
The malicious link creates a foothold in the target environment for the Russian hackers by exploiting a vulnerability in a legitimate Java binary. From there the attackers deploy a variety of techniques to escalate their privileges, gaining Domain Admin access in as little as 12 hours in some cases.
The end goal of the phishing campaign appears to be establishing a quiet long-term presence on target networks for espionage purposes.
A recent report from Microsoft found that APT29 has been highly active since the beginning of the invasion of Ukraine, with the Russian hackers appearing to be operating multiple phishing campaigns at once. This activity dates back to well before the war, however, with Microsoft researchers uncovering evidence that the group has been doing preparatory work since as early as 2020. The activity appears to have begun in the summer of that year with a phishing campaign directed at IT firms located in NATO member states, attempting to use that access to breach downstream foreign policy organizations and keep tabs on how each of the countries would respond to Russia’s invasion plans.
More aggressive action appears to have begun in early 2021, with a widespread campaign to compromise energy, IT and defense organizations in Ukraine. This lends credence to the theory of a long-term plan by Russia to invade when it felt the time was right. At this point “wiper” malware was found planted on the servers of some organizations in Ukraine, designed to cripple systems when activated.
Even though evidence of multiple phishing campaigns conducted by Russian hackers has been uncovered, the Microsoft researchers believe that it is only a “fraction” of the activity currently targeting Ukraine. The researchers think that most of the activity is low-level and meant to support Russian military operations, such as distributed denial of service (DDoS) attacks, but that the campaign of sophisticated attacks of this type is far from over.
Cozy Bear is one of the most tenured and experienced groups of state-backed Russian hackers, active since at least 2010 in operations against world governments. It managed to penetrate the Pentagon email system in 2015, the Democratic National Committee in 2016, various agencies in the governments of Holland and Norway in 2017, and a variety of organizations developing Covid-19 vaccines in 2020. It is also the assumed perpetrator of the breach of managed services provider SolarWinds, which led to the compromise of some downstream systems and was largely used to access US federal agencies.
Cozy Bear is not the only group in the fray, however; Microsoft and other security researchers have observed nearly every state-backed group of Russian hackers of consequence running phishing campaigns and DDoS attacks during the Ukraine conflict period. Some are also running disinformation campaigns aimed at confusing and demoralizing the defenders. These include the GRU-connected Fancy Bear (something of a revenge-focused group that is known to harass journalists, diplomats and other targets in ways that might provide Russia with foreign influence), Berzerk Bear (known for targeting critical infrastructure companies in countries around the world) and Voodoo Bear (a group that also targets critical infrastructure as well as conducting cyber espionage campaigns).
What can be done when these world-leading threat groups target an organization? According to Chris Clements, vice president of solutions architecture at Cerberus Sentinel: “This campaign highlights the importance of implementing a culture of cybersecurity that goes beyond relying on first line preventative controls. Threat actors routinely find new ways to bypass initial defenses like spam filters or antivirus to ensure that they are able to establish footholds into their victims’ organizations. Attackers then quickly pivot to other systems and escalate privileges to establish complete control over their target’s IT operations. An organization with a true culture of cybersecurity takes these factors into account by assuming that it’s only a matter of time before an attacker will establish initial access into the environment and implements secondary defenses that limit a perpetrator’s ability to operate and do damage once present. Controls like segmentation, proactive system and application hardening, and restricting users’ access to only what’s necessary for their job functions make an attacker’s job much more difficult. In depth monitoring for suspicious activities and threat hunting likewise increases the chances an attacker can be quickly detected and eradicated by the incident response team before widespread damage can be done.”