The Latest Phishing Trends Traced to Russia

by Brad Slavin | Dec 13, 2018 | Phishing Protection

Russia and its hackers have been popular in the news for the past several years. Whether to allegedly influence foreign elections or steal intellectual property its sphere of influence is worldwide.

But first a bit of history. How did we get to this point in time? Countries have always been involved with clandestine activities to undermine or even overthrow neighboring governments. They have used deception and sometimes even force to accomplish their goals. So it was only a matter of time before technology was embraced as a tool to this end. And so began the partnership between hacker and government.

In 2009, Google China was hit by a security breach. Upon further investigation, it was determined that China was targeting the emails of individuals and groups who were focused on human rights and human rights violations. These Google users resided not just in China, but in the United States and Europe. Google had entered the Chinese market in 2006 subject to China’s strict internet policy. However, the resulting breach three years later caused the company to relocate its servers to Hong Kong.

One very active Russian hacker team is known by several names:

• APT 28,
• Fancy Bear, or
• Sofacy.

It is most known for its attack on the Democratic National Committee’s computer in 2016 but it has existed since at least 2007. The DNC has never allowed government agencies to analyze the computers so it is difficult to determine the extent of the attack.

This group’s signature mark is to cause its viruses and other malware to evolve into different threats. But in a nod to the past, it also makes use of previous malware that evades detection because it is no longer deemed a threat.

In the latter case, recent malware attacks from the group have focused on using an encrypted connection to carry the malware.

This means that while delivery is taking place the malware is not detected. This type of attack has pretty much disappeared until recently when it started making a comeback in October and November of this year. It was determined that the suspected targets were government entities in North America, Europe, and an unnamed former USSR state. In this particular phishing sweep, the malware contained evidence of an evolution AND the encrypted connection.

It has been reported that APT28 has started to use a new Trojan named Cannon, as well as its favorite, Zebrocy, which it used to target government agencies in North America and Europe. Both Trojans download another wave of malware after a computer system has already been compromised. The difference between the two is that Cannon uses legitimate email providers for its email accounts. In this way, the malware makes itself harder to detect.

Another group of hackers has a similar name, APT29. It has been very quiet since 2017 but appears to have come roaring back with a vengeance. Its targets have included

• law enforcement,
• think tanks,
• drug companies,
• different media outlets, and
• contractors in the defence industry.

APT29, also known as Cozy Bear and like APT28 is believed to be working on behalf of Russia’s military intelligence service. The group has been operational since at least 2014.

This is how the latest malware worked: the email falsely appeared to come from the US State Department from a well-known individual who is employed there. The email even had a legitimate US State Department form to lend an air of authenticity to it. The email had links that when clicked, caused a Windows back door named Cobalt Strike to infest the device.

This attack is very similar to one which occurred in November of 2016 which took advantage of a hacked email server in a hospital. In this scenario, the  emails contained a ZIP archive which in turn held a Windows shortcut file with the malware payload.

An interesting possibility is that these malware attacks are really false flags, intended to make them appear to come from state sponsored hackers in Russia. But the attacks are being published in the media with the hope that malware researches can contribute their opinions on the attacks.

Earlier in 2018, Microsoft acknowledged that it had assisted the US Government to thwart attacks by Russian hackers against at least three politicians who were running in this year’s midterm elections.

The software company attributed the attacks to members of the APT28 group, which they have nicknamed Strontium.

The attempts involved web domain sites that appeared to belong to the US Senate or to conservative think tanks, and even to a product page of Microsoft’s. But in all cases they were actually fake sites.

There was no evidence that hackers successfully tricked any visitors to give out personal information; the company acknowledged that the fake sites were created recently and registered with major web-hosting companies. Microsoft’s Digital Crimes Unit has used the US court system to seize and shut down 84 fake websites since 2016 that were allegedly created by the APT28 group of hackers.

While the Russian hackers seem to have their fingers in a lot of digital pie, it has become apparent that the biggest threat from them is during the election cycle. Political campaigns usually do not have the funding required to mount a good defense against cyber attacks. While it may be possible to hack into voting machines, experts say it would be extremely unlikely that enough machines would be compromised to change the outcome of an election. All fifty states and some 1000 local governments have opened a center to share and compare investigations and findings.

It is a game of cat and Russian mouse that continues unabated 24/7/365. Unrelenting vigilance is necessary to combat the threat that according to Kirstjen Neilsen, Secretary of Homeland Security,  has “democracy in the crosshairs”.

References

Top 10 most notorious cyber attacks in history

RUSSIA’S ELITE HACKERS MAY HAVE NEW PHISHING TRICKS

Russia’s Cozy Bear comes out of hiding with post-election spear-phishing blitz

Microsoft helped the US Government is protecting at least three 2018 midterm election candidates from attacks of Russian cyberspies.

Microsoft Detects More Russian Cyber Attacks Ahead of Mid-Term Election

Russia Linked Group Resurfaces With Large-Scale Phishing Campaign

How the U.S. Is Fighting Russian Election Interference

Spear Phishing Prevention for Small and Medium Size Businesses

by Brad Slavin | Dec 3, 2018 | Phishing Protection

What is spear phishing?

Spear phishing is when you receive an email from someone or some company you trust. It looks legitimate. It may even have the names and extension number of coworkers. It looks authentic, so you don’t give it a second thought. But you should, because it’s from an attacker, and they’re trying to steal your valuable information.

Continue reading “Spear Phishing Prevention for Small and Medium Size Businesses” »

Top Phishing Email Attacks Worldwide in 2018

by Brad Slavin | Nov 29, 2018 | Phishing Protection

2018 was a good or bad year for phishing depending on which side of the law you were on! Phishing is defined in many places on the internet, but I like the Cambridge Dictionary definition the best: “an attempt to trick someone into giving information over the internet or by email that would allow someone else to take money from them, for example by taking money out of their bank account”.

Continue reading “Top Phishing Email Attacks Worldwide in 2018” »

Protecting Your Business From Phishing Attacks

by Brad Slavin | Nov 2, 2018 | Phishing Protection

In this age of rampant cyber attack, corporations must take measures to protect themselves. Since 91% of all cyber attacks begin with a phishing email, taking steps to defend against phishing attack might be the single most important aspect of an overall threat defense plan.

Continue reading “Protecting Your Business From Phishing Attacks” »

Ransomware Attacks Your Organization’s Ability to Function

by Brad Slavin | Sep 26, 2018 | Phishing Protection

By the time any business is aware that they are the target of a ransomware attack, it’s too late. Once a hacker has breached security and enticed a user to click on a malicious link or attachment, access to local data on that employee’s computer is locked. In order to unlock the data, a ransom must be paid. In about 91% of cases, the vector for ransomware is incoming email, often in the form of a spear phishing attack that purports to be from a sender known and trusted by the victim.

Read More

The Threat Of Ransomware is Real

by Brad Slavin | Sep 6, 2018 | Phishing Protection

Ransomware is a multi-million dollar a year online business that can strike any organization.

Both Ransomware and legitimate business engage in email marketing campaigns with the intent of making sales to new customers. In the case of legitimate business, some good or service of value is returned to the client. In the case of ransomware, business is slowed or halted by malware that locks or deletes files, and a ransom is demanded that may or may not stop the attack or reverse the damage if paid. Ransomware is criminal but make no mistakes: its top producers make millions of dollars a year in revenue.

Read More