Cozy Bear Goes Phishing After Election

After the U.S. presidential election, a group tied to Russian intelligence sent wave after wave of phishing emails to universities, think tanks and the State Department, according to Motherboard.

The Dukes, a group also known as Cozy Bear or APT29, sent series of emails Wednesday after the election, including messages made to look like a Harvard professor forwarding information from the Clinton Foundation. The group sent the emails to many people working in national security, defense, international affairs, public policy, and European and Asian studies.

Using Gmail accounts, the groups sent eFax links and Microsoft Word and Excel documents that concealed code that would download a backdoor into attacked systems, according to an analysis by security firm Volexity. Components of the backdoor were hidden in PNG files.  

“They have had tremendous success evading anti-virus and anti-malware solutions at both the desktop and mail gateway levels,” the analysis said. “The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure.”

Cozy Bear was previously linked to the breach of the Democratic National Committee and other campaigns targeting the think tanks with a focus on Russian affairs.