Malware researchers at Palo Alto Network’s Unit 42 are tracking a “well-known threat group” targeting U.S. government officials with well-worn hacking tactics used in a fresh way.
In late May, Unit 42 researchers discovered a spear-phishing email sent to U.S. officials purporting to be from an official from another country’s Ministry of Foreign Affairs. The email included an attachment referencing a joint NATO operation with the U.S. and Georgia, though it actually contained malicious code meant to “gain an initial foothold on the system.”
According to Unit 42, the foreign ministry email address was not spoofed and appears to have been compromised in a previous spear-phishing attack and used to propagate the malware campaign.
Once the group has access, “the threat actors can then respond to these network beacons to download and execute additional secondary payloads on the system,” Unit 42 wrote in a June 14 blog post exposing the campaign.
Unit 42 researchers are attributing the campaign to hacking group Sofacy, also known as APT28, who have used the underlying malware and tactics against governments before.
Researchers at FireEye have tied the Sofacy group to the Russian government, though the group’s true origins and goals remain a mystery.
While the Trojan and delivery tactic — spear-phishing — aren’t new, the malware activates in a way researchers have not seen before.
Rather than run the malicious code at startup, the program waits until the user opens Word or Excel to deploy.
“This specific tactic for persistence … requires user interaction to load and execute the malicious payload, which can cause challenges for detection in automated sandboxes,” according to Unit 42. Since the user is actively opening an application at the time of deployment, even sophisticated behavioral analytics and other detection programs might not notice anything wrong, enabling the malware to spread undetected.
“This is the first time Unit 42 has seen the Sofacy group — or any other threat group for that matter — use this tactic for persistence purposes,” researchers said.
It is unclear whether Sofacy hackers were successful in getting U.S. officials to open the malicious attachment. But Unit 42 hopes that by getting the word out, potential targets can be on guard and federal agencies can protect themselves.
“The use of this new persistence method shows the continued development of tactics and techniques employed by this threat group, often times in clever ways as we observed in this instance,” researchers said.
Sofacy is also one of two Russia-based hacking group linked to breaches of the Democratic National Committee. The Washington Post reported another group — known as APT29 or CozyDuke — breached DNC systems last year, followed up by Sofacy in April 2016.
“We have identified no collaboration between the two actors, or even an awareness of one by the other,” according to Dmitri Alperovitch, co-founder and CTO of Crowdstrike, which remediated the attacks on the DNC. “Instead, we observed the two Russian espionage groups compromise the same systems and engage separately in the theft of identical credentials.”