Attackers suspected of working for the Russian government masqueraded as a US State Department official in an attempt to infect dozens of organizations in government, military, defense contracting, media, and other industries, researchers from security firm FireEye warned on Monday.

Analysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered from this sophisticated group in at least a year. Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity. For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.

“Secure” communications

The spear-phishing campaign began last Wednesday. This is almost exactly two years after the Russian hacking group known under a variety of monikers, including APT29 and Cozy Bear, sent a similar barrage of emails that targeted many of the same industries, FireEye said in a blog post . The tactics and techniques used in both post-election campaigns largely overlap, leading FireEye to suspect the new one is also the work of the Russian-government-controlled hacking arm. FireEye researchers Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, and Nick Carr wrote:

At least 38 FireEye clients have been targeted so far in the spear-phishing campaign, Carr told Ars. The emails purport to deliver an official US State Department document from a known public-affairs official at the same US agency. The messages were designed to appear as a secure communication that’s hosted on a webpage linked to the official’s personal drive. To further appear legitimate, the message delivers a legitimate State Department form.

Behind the scenes, the messages contained links to install Cobalt, a commercially available post-exploitation framework. The framework implemented a payload that communicated with a control server operated by the attackers. To better hide itself, the payload was configured to masquerade as a part of the Pandora music-streaming service.

The attack in many ways resembled the one seen in November 2016. The newest one used the compromised email server of a hospital to send the phishing emails and a hacked corporate website of a consulting company to host the linked payloads. The messages embedded a ZIP archive that contained a malicious Windows shortcut file hosted on a likely compromised legitimate domain, jmj[.].com. And it came a week following a major US election.

The phishing emails in the 2016 campaign similarly were sent from purpose-built Gmail accounts and what may be a compromised email account from Harvard University's Faculty of Arts and Science. Like their 2018 counterparts, they also had either malicious links to ZIP files or forged Windows shortcut files and came immediately on the heels of another big US election.

Monday’s post explained:

There are several similarities and technical overlaps between the 14 November 2018 phishing campaign and the suspected APT29 phishing campaign on 9 November 2016, both of which occurred shortly after US elections. However, the new campaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques, and procedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file. APT29 is a sophisticated actor, and while sophisticated actors are not infallible, seemingly blatant mistakes are cause for pause when considering historical uses of deception by Russian intelligence services. It has also been over a year since we have conclusively identified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long interlude. Notable similarities between this and the 2016 campaign include the Windows shortcut metadata, targeted organizations and specific individuals, phishing email construction, and the use of compromised infrastructure. Notable differences include the use of Cobalt Strike rather than custom malware; however, many espionage actors do use publicly and commercially available frameworks for reasons such as plausible deniability. During the phishing campaign, there were indications that the site hosting the malware was selectively serving payloads. For example, requests using incorrect HTTP headers reportedly served ZIP archives containing only the benign publicly available Department of State form. It is possible that the threat actor served additional and different payloads depending on the link visited; however, FireEye has only observed two: the benign and Cobalt Strike variations.

What’s more, the malicious LNK used in last week’s campaign has technical overlaps with the LNK from two years ago. Both LNKs also are similar in structure and code, and they contain significant metadata similarities, including the MAC address of the system on which the LNK was created.

People who received the emails didn’t have to have Microsoft Word macros installed to become infected. Instead, Carr said, they only had to click on the link and, depending on their PC configuration, most likely click on the downloaded file.

“It’s worth noting,” Carr wrote, “that LNK files have their extensions hidden by default in Windows, so we see these filetypes abused in a lot of ways, by a lot of groups—https://twitter.com/ItsReallyNick/status/1041710405985423360. APT29 was the first to abuse LNK files in 2016 in the exact way that was done again here.”

🆕🔗: We continue to see attackers abuse shell links (.LNK) in creative new ways. Looks like @Microsoft "significantly" updated the file format specs on September 12: https://t.co/X5P5XdVSO7 CHANGELOG:

9/12/2018 | 5.0 | Major | Significantly changed the technical content. pic.twitter.com/KQMhU7nFpo — Nick Carr (@ItsReallyNick) September 17, 2018

Last week’s campaign was also detected by CrowdStrike, a different security company that also suspects Russia is behind it. In a statement, the company’s vice president of intelligence, Adam Meyers, wrote:

On 14 November 2018, CrowdStrike detected a widespread spear-phishing campaign against multiple sectors. These messages purported to be from an official with the US Department of State and contained links to a compromised legitimate website. Individuals receiving the emails worked at organizations in a range of sectors including in think tank, law enforcement, government, and business information services. Attribution for this activity is still in progress; however, the Tactics, Techniques, and Procedures (TTPs) and targeting are consistent with previously identified campaigns from the Russia-based actor COZY BEAR.

The reports are a strong indication that Russia may, once again, be aggressively targeting US organizations after lying low for the past year or so. FireEye’s report has a variety of indicators people can use to determine if their computers have been targeted or infected in the most recent campaign.