Six hours after Donald Trump had won the 2016 US Presidential Election, a cyber-espionage group believed to operate out of Russia had launched a wave of spear-phishing emails aimed at various US think tanks and non-governmental organizations (NGOs).
Security firm Volexity claims the emails are the work of an APT (Advanced Persistent Threat), the term used to describe cyber-espionage groups that perform covert hacking operations in order to gather intelligence on foreign governments, dissidents, and local or abroad companies.
This APT's name is The Dukes, but other companies use other codenames such as APT29, Cozy Bear, or CozyDuke. Security firm CrowdStrike claimed in June 2016 that The Dukes was one of the two Russian-linked cyber-espionage groups that hacked the DNC servers.
According to their report, The Dukes hacked the DNC in the summer of 2015, but kept a low profile, compared to the second group (APT28 or Fancy Bear) that the DNC server in April 2016 and made a public spectacle out of it.
Volexity says that as soon as Donald Trump was announced as the winner of the US Presidential race, The Dukes launched spear-phishing campaigns aimed at US think tanks and NGOs.
The security firm says that most of the spear-phishing emails came from Gmail accounts and emails belonging to the Harvard’s Faculty of Arts and Sciences (FAS). Volexity claims the Harvard email accounts appeared to have been hacked, and not spoofed.
The email subjects covered various topics, from the recent Presidential Election to national security and international affairs. One of the emails deployed in the spear-phishing campaign is pictured below, courtesy of Volexity.
The Dukes used different tactics to infect targets with malware. Some emails contained links that led users to websites where exploits would auto-download and install malware on the victim's PC. Other emails contained legitimate political reports, but to which The Dukes added macro scripts, which if the user allowed to execute, would download and install malware on the user's PC.
In all attacks, the hackers tried to infect the victims with the PowerDuke malware, a backdoor trojan that allows the hackers limited access to infected computers, in order to steal files or download and install other, more potent malware.
Volexity says it detected at least five different spear-phishing campaigns following Donald Trump's victory.
This is not the first time The Dukes targeted US think tanks and NGOs. Similar attacks took place in July 2015.
The most recent wave of spear-phishing attacks tried to compromise employees at Washington-based think tanks and NGOs. These took place in August 2016, and CrowdStrike pinned those attacks on The Dukes as well.
Volexity says that a few smaller spear-phishing campaigns, also aimed at think tanks and NGOs, took place in late October. The Dukes used similar spear-phishing tactics.
Targeting think tanks and NGOs is a smart move from The Dukes since these organizations often work closely with the US government on upcoming state and national policies and provide consulting on various issues that may be pertinent to the US' stance on various national and international affairs.
In other cyber-espionage news, APT28 (also known as Sednit, Strontium, Operation Pawn Storm, or Fancy Bear) has been busy launching spear-phishing attacks that leveraged the recent zero-day Google discovered in Microsoft products.
Trend Micro says that as soon as the news about the zero-day surfaced, APT28 intensified spear-phishing attacks in order to exploit the zero-day as much as possible before Microsoft fixed the issue this Tuesday in its recent security updates.
Before that, APT28 developed and deployed its own Flash zero-day. These attacks were picked off by Google as well, who reported the issues to Adobe and the company had a fix out in less than a week.