Russian state-backed hackers this week used the US presidential election results as a lure in a series of targeted spear phishing attacks against NGOs and think tanks, according to researchers.
The emails - coming from a mix of specially created Gmail accounts and compromised Harvard accounts - were sent out in large numbers to organizations and individuals specializing in national security, defense, international affairs, public policy, and European and Asian studies, according to Volexity.
To trick the recipient into downloading malware, some emails were spoofed to contain a post-mortem analysis from the Clinton Foundation; others featured documents claiming to reveal how the election was rigged; and one version had a malicious link to a PDF download on Why American Elections Are Flawed.
The incident response firm claimed the attacks are likely to be the work of a Kremlin-linked group known as The Dukes (APT29, Cozy Bear) which has been linked to attacks against the Democractic National Committee.
Its reasoning is based on the attacks featuring specific backdoor malware, PowerDuke, previously used by the group.
Also telling are various techniques favored by The Dukes, such as the use of malicious macros embedded into Word documents, containing several anti-VM checks designed to avoid executing in virtualized environments.
Volexity founder, Steven Adair, claimed the group is working to gain long-term access into its target organizations and warned NGOs and think tanks in the US to be on their guard for the foreseeable future.
“The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure,” he revealed. “This combined with their use of steganography to hide their backdoor within PNG files that are downloaded remotely and loaded in memory only or via alternate data streams (ADS) is quite novel in its approach.”