The group known as Cozy Bear is back with a wave of attacks trying to get into the computer of US government employees, academics, and think tank workers.
Merely a few hours after Donald Trump declared his stunning victory, a group of hackers that is widely believed to be Russian and was involved in the breach of the Democratic National Committee launched a wave of attacks against dozens of people working at universities, think tank tanks, NGOs, and even inside the US government.
Around 9 a.m. ET on Wednesday, the hackers sent a series of phishing emails trying to trick dozens of victims into opening booby-trapped attachments containing malware, and clicking on malicious links, according to security firm Volexity, which observed and reported the five attack waves. The targets work for organizations such as Radio Free Europe / Radio Liberty, the Atlantic Council, the RAND Corporation, and the State Department, among others.
One of the phishing emails included a forwarded message appearing to be from the Clinton Foundation, apparently sent by a professor at Harvard. The email used the professor's real address, and according to Volexity's founder Steven Adair, it's likely that the professor got hacked and the attackers then used his account to send out the phishing emails. (The professor did not respond to a request for comment.)
One of the targets, who shared the email she received with Motherboard, said she "almost fell for it."
The victim, who used to work at an NGO, said she clicked on the ZIP file and opened it, and her anti-virus didn't flag the malware. Then, luckily, she had second thoughts.
"Right before I opened the file, I started to think about the casual language in the email," said the victim, who asked to remain anonymous, and was referring specifically to the expression "FYI" at the top of the email. "That's not how academics speak. Also, why would the Clinton Foundation send out information about the election, it didn't make sense."
Yet, she added, "if the language had been less casual and more academic, I might have [fallen for it]!"
Adair, who investigated these attacks and analyzed the malware, said the hackers are from the group known by the aliases of APT29 or Cozy Bear, one of the two Russian-linked groups who broke into the DNC. The group's timing was clearly intended to exploit the interest in the presidential campaign but was planned ahead of time. And while the phishing attacks weren't that sophisticated, they were good enough that they might have succeeded in tricking some people into clicking or opening the attachments, and used malware that escaped all detection. (Adair couldn't say for sure if anyone had clicked on them.)
"I almost fell for it."
The organizations targeted, Adair told me, use all kinds of anti-virus protections and yet, "these emails, for the most part—not 100 percent, but for the most part—went right through all these filters."
"They're not getting detected, they're not getting flagged," he said in a phone call.
The malware, according to Adair's analysis, hid within an image file using steganography and was designed to put a backdoor into the victim's computers. It was also engineered to make life difficult for security researchers and sleuths who might come across it in an attempt to "cut down on the noise," and "cut down to the chase."
"They're not getting detected, they're not getting flagged."
"[It] gives them a head start," Adair explained. "Even if you are a security researcher who knows this is bad, it's not necessarily as simple as running it and having an answer a minute later. It takes a bit of analysis time. So that gives the attackers lead time to conduct their operation, especially before they are found out."
Cozy Bear and its fellow hacking group, known as Fancy Bear, both believed to be part of the Russian intelligence apparatus, have been trying to hack American and western targets for years. This latest wave of attacks is a sign that even after Trump's win, they're still active and interested in hacking new victims.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.