It looks like the Russian government-linked hacking group Cozy Bear is back in the election trickery business.
The security firm Volexity publicized a spearphishing campaign on Thursday that it identified only days ago, a scheme that uses an election fraud document as a lure. The emails purport to be from the the United States Agency for International Development, with targets including government agencies, research institutions and nongovernmental organizations in the U.S. and Europe.
Volexity said it had concluded, with moderate confidence, that Cozy Bear — the group also known as APT29 or the Dukes — was behind the emails.
If true, it would be a return to an old favorite subject for Cozy Bear, which the U.S. government and others implicated in the 2016 hacks of the Democratic National Committee and Hillary Clinton’s presidential campaign, among other election interference efforts.
More recently, Cozy Bear has garnered attention from the Biden administration, which pointed the finger at the hacking group over the sweeping SolarWinds supply chain attack; and from the Trump administration, which accused the group of trying to steal COVID-19 research.
In one version of the email that Volexity observed, an apparent USAID “special alert” email reads, “Donald Trump has published new documents on election fraud.” Opening the PDF file, which is a copy of a March U.S. intelligence community report on 2020 election interference attempts, triggers a malicious software attack that involves hackers gaining remote access to a victim’s device.
The hackers seemed to try to cloak their identities by including a Korean word in the malware’s fingerprint, Volexity said.
“Volexity does not believe Korean-speaking threat actors or developers are responsible for this malware family,” the company wrote in a blog post. “Volexity instead believes this to be a false flag. Additionally, the compile timestamp dating to the year 2019 is likely to have been falsified.”
It’s a reminder that when it comes to attack attribution, language is but one indicator.
Check out this excellent blog post from @Volexity on possible APT29 activity. Here's your regular reminder that false flags are a thing, so please don't jump to conclusions about attribution based on language alone. https://t.co/FiLFbEELn3 pic.twitter.com/TadYyOnkdm
— Katie Nickels (@likethecoins) May 27, 2021
In most other regards, based on Volexity’s experience with Cozy Bear, it bears hallmarks of their handiwork.
“After a relatively long hiatus with no publicly detailed spear phishing activity, APT29 appears to have returned with only slight changes to its historical” tactics, techniques and procedures, Volexity said.
The company doesn’t know how many victims the hackers targeted, but witnessed attacks on its customers.