Area 1 Security:
It’s tempting to think cyberattacks are sophisticated, but from a technical perspective, they are mostly routine. Cyber actors must rely on operational efficiency, reusable modular toolkits, and infrastructure stability to attack a large number of targets successfully. These assembly lines run counter to the view that cyber attacks are “sophisticated snowflakes” and provide opportunities to preempt attacks at a point in time when it is possible to change outcomes.
Area 1 Security learned several small patterns during a phishing campaign launched November 9, 2016, via its ActiveSensor network. This campaign, which began the day after the U.S. presidential election, revealed insights into the assembly line of the actor, a partial database of targets, and methods to preempt future attacks.
The campaign we observed is attributed to a Russian espionage group we call RUS2 (also known as the Dukes, APT-29, or Cozy Bear). RUS2 is solely focused on targeting political organizations. They are known to have hacked the DNC in 2015 and breached the State Department in the same year. To achieve their goals, they simultaneously pursue current and former officials, as well as associates working in private industry.
The phishing emails in this campaign had several shared characteristics:
Subjects: “just FYI”, “RFI”, “eFax”, or “Elections”
Attachments: ZIP file attachment or Microsoft document containing a malicious macro
Command and Control: known C2 operated by RUS2
During the reconnaissance phase (Kill Chain — 1) of a cyber campaign, actors compile lists of targets and their email addresses, primarily through open source data-gathering, web scraping, social network analysis and other national technical means. Once targets are identified and their targeting information compiled, they will typically be loaded into a targeting database in an automated system to execute the delivery phase (Kill Chain — 3).
The targeting database that Area 1 Security was able to reconstruct reveals three specific insights into the assembly line of operations which can be used to preempt future campaigns:
- The database contains a mixture of personal and corporate email addresses. Targets include current and former officials of the U.S. government or associates in the political process. This shows RUS2 is looking for the weak link in the chain and will pursue direct and indirect targets to achieve their campaign’s goals.
- Analysis of bounced emails included in the campaign shows that the actor doesn’t consider cleaning or updating their database of targets. Targets continue to receive phishing attacks, whether or not they are in the same position as they were when initially targeted.
- Temporal reconstruction of the bounced emails, targets, and their positions of interest reveals targeting going back ten years to 2007.
RUS2 believes they avoid detection by changing some aspects of the infrastructure they utilize. This is a countermeasure to traditional security approaches which focus on blocking IPs, domains, and URLs. Our use of attacker behavior analytics, however, and their consistent redelivery of phishing campaigns to targets no longer associated with identified email addresses, allows us to reconstruct both the timeline and development of their campaigns, as well as new infrastructure and payloads being delivered.
It’s easy to imagine RUS2 operating a giant spreadsheet where new targets are added, but never leave. RUS2 probably moves quickly, compromising a server or service to send out phishing emails from it, and then leaves, never returning to check for bounced email messages to cull from its list.
Targets who change their positions and the organizations they work for after becoming a target of RUS2 unintentionally move into the crosshairs of future campaigns. Thus targets carry the blemish of being a Russian target into their new workplace. These people unintentionally give RUS2 beachheads in companies and organizations they never even planned on or imagined hacking. As an example, several targets of the November 9, 2016, campaign who had worked in the prior administration and now work in the financial, pharmaceutical, and defense industries continue to be targeted, and those organizations are attacked as a result of the association.
Russia is notoriously persistent in pursuing targets and our report is a lesson on why every organization needs great security.
Our analysis of the last ten years of RUS2 targeting, compiled by reverse engineering their database, reveals previously undisclosed information about the involvement of Russian actors in prior U.S. elections. It has been widely reported that both presidential candidates in the 2008 election were targeted and exploited by actors associated with the Chinese government. Area 1 Security was able to identify targets within the November 9, 2016 campaign whose association with the 2008 campaign indicate RUS2 was actively targeting them during the same period. The list also includes several officials involved in Russian policy, including a U.S. ambassador to Russia.
Well, Obama told Russia to stop, so they did.