The Dukes are at it again: Major phishing campaign post-election

14 Nov 2016

US and Russia flags. Image: Bennian/Shutterstock

One of the most accomplished hacking groups in the world, Russia-based The Dukes got creative last week, targeting NGOs immediately after the US presidential election.

Within six hours of Donald Trump winning the US presidential election, a major coordinated phishing attack on NGOs and think tanks was underway, all at the behest of The Dukes.

Also known as Cozy Bear, The Dukes is a group very active in the hacking community, infamous following Kaspersky Labs and F-Secure’s work last year in highlighting the links between the group and several attacks down the years.

And while everybody was busy wondering what had just happened in the hours following Trump’s success in the US, the group was busy at work.

Russia

Five-way attack

Cybersecurity group Volexity reported a quintet of attacks by the group, each unique, though each also targeting the same type of victim through a tool it calls PowerDuke.

These phishing e-mails came from a mix of attacker-created Google Gmail accounts, and what Volexity thinks were compromised e-mail accounts, at Harvard’s Faculty of Arts and Sciences.

Of the five attacks, two were emails claiming to be from the Clinton Foundation, providing a post-mortem on the election. Another two appeared like eFax links or documents pertaining to the election’s outcome being revised or rigged.

The final email dealt with ‘Why American Elections Are Flawed’, with a link to a PDF file. The timing of the attacks isn’t what Volexity is concerned by, rather, the relatively soft targets and increasingly effective techniques undertaken.

By targeting NGOs and think tanks, the potential is there for The Dukes, whoever they are working for, to access both important political data, as well as potentially insecure servers in a given network.

Getting better at it

“The Dukes continue to launch well-crafted and clever attack campaigns,” said Volexity. “They have had tremendous success evading anti-virus and anti-malware solutions at both the desktop and mail gateway levels.

“The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure.

“This combined with their use of steganography, to hide their backdoor within PNG files that are downloaded remotely and loaded in memory only or via alternate data streams, is quite novel in its approach.

“Volexity believes that the Dukes are likely working to gain long-term access into think tanks and NGOs, and will continue to launch new attacks for the foreseeable future.”

The group is thought to also have been behind the hack on to the breach of the Democratic National Committee earlier this year.

Years of success

In September last year, cybersecurity company F-Secure linked the group to seven years of attacks, using 10 separate tools that are all separate from PowerDuke.

“The Dukes primarily target western governments and related organisations, such as government ministries and agencies, political think tanks, and governmental subcontractors,” said F-Secure’s September 2015 report.

“Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organisations associated with Chechen extremism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.”

Basically, anybody you consider a target for Russia was included on this list.

Gordon Hunt was a journalist with Silicon Republic

editorial@siliconrepublic.com