It’s tempting to think cyberattacks are sophisticated, but from a technical perspective, they are mostly routine. Cyber actors must rely on operational efficiency, reusable modular toolkits, and infrastructure stability to attack a large number of targets successfully. These assembly lines run counter to the view that cyber attacks are “sophisticated snowflakes” and provide opportunities to preempt attacks at a point in time when it is possible to change outcomes.
Area 1 Security learned several small patterns during a phishing campaign launched November 9, 2016, via its ActiveSensor network. This campaign, which began the day after the U.S. presidential election, revealed insights into the assembly line of the actor, a partial database of targets, and methods to preempt future attacks.
The campaign we observed is attributed to a Russian espionage group we call RUS2 (also known as the Dukes, APT-29, or Cozy Bear). RUS2 is solely focused on targeting political organizations. They are known to have hacked the DNC in 2015 and breached the State Department in the same year. To achieve their goals, they simultaneously pursue current and former officials, as well as associates working in private industry.
The phishing emails in this campaign had several shared characteristics:
Subjects: “just FYI”, “RFI”, “eFax”, or “Elections”
Attachments: ZIP file attachment or Microsoft document containing a malicious macro
Command and Control: known C2 operated by RUS2
During the reconnaissance phase (Kill Chain — 1) of a cyber campaign, actors compile lists of targets and their email addresses, primarily through open source data-gathering, web scraping, social network analysis and other national technical means. Once targets are identified and their targeting information compiled, they will typically be loaded into a targeting database in an automated system to execute the delivery phase (Kill Chain — 3).
The targeting database that Area 1 Security was able to reconstruct reveals three specific insights into the assembly line of operations which can be used to preempt future campaigns:
- The database contains a mixture of personal and corporate email addresses. Targets include current and former officials of the U.S. government or associates in the political process. This shows RUS2 is looking for the weak link in the chain and will pursue direct and indirect targets to achieve their campaign’s goals.
- Analysis of bounced emails included in the campaign shows that the actor doesn’t consider cleaning or updating their database of targets. Targets continue to receive phishing attacks, whether or not they are in the same position as they were when initially targeted.
- Temporal reconstruction of the bounced emails, targets, and their positions of interest reveals targeting going back ten years to 2007.
RUS2 believes they avoid detection by changing some aspects of the infrastructure they utilize. This is a countermeasure to traditional security approaches which focus on blocking IPs, domains, and URLs. Our use of attacker behavior analytics, however, and their consistent redelivery of phishing campaigns to targets no longer associated with identified email addresses, allows us to reconstruct both the timeline and development of their campaigns, as well as new infrastructure and payloads being delivered.
It’s easy to imagine RUS2 operating a giant spreadsheet where new targets are added, but never leave. RUS2 probably moves quickly, compromising a server or service to send out phishing emails from it, and then leaves, never returning to check for bounced email messages to cull from its list.
Targets who change their positions and the organizations they work for after becoming a target of RUS2 unintentionally move into the crosshairs of future campaigns. Thus targets carry the blemish of being a Russian target into their new workplace. These people unintentionally give RUS2 beachheads in companies and organizations they never even planned on or imagined hacking. As an example, several targets of the November 9, 2016, campaign who had worked in the prior administration and now work in the financial, pharmaceutical, and defense industries continue to be targeted, and those organizations are attacked as a result of the association.
Russia is notoriously persistent in pursuing targets and our report is a lesson on why every organization needs great security.
Our analysis of the last ten years of RUS2 targeting, compiled by reverse engineering their database, reveals previously undisclosed information about the involvement of Russian actors in prior U.S. elections. It has been widely reported that both presidential candidates in the 2008 election were targeted and exploited by actors associated with the Chinese government. Area 1 Security was able to identify targets within the November 9, 2016 campaign whose association with the 2008 campaign indicate RUS2 was actively targeting them during the same period. The list also includes several officials involved in Russian policy, including a U.S. ambassador to Russia.
Tactics, Techniques, and Procedures (TTPs)
Interactions with Targets and Victims
RUS2 will engage and exchange information interactively with targets to bolster credibility and advance their campaigns.
RUS2 is known to quickly exfiltrate the entire contents of email accounts. They perform these operations with native email clients, as well as with web emails such as Gmail, Office 365, and Outlook Web Access.
Lateral Movement Operations
RUS2 begin lateral movement operations across an Active Directory Domain, typically employing Microsoft PowerShell and Python scripts compiled into binary executable files. They quickly harvest password dumps from Domain Controllers, and seek password file vaults stored on local disks and remote file servers. If they lose access to a target, they leverage previously exfiltrated usernames and passwords in order to regain access through the target’s external services.
Indicators of Compromise
The following IOCs were observed by Area 1 Security during the campaigns described herein:
A partial summary of the targets RUS2 focused on during its November 9, 2016, campaign is provided below:
Vice Chairman Investment Banking
Director Federal Government Relations
Government Relations Intern
Vice President Congressional Relations
Executive Office Administrator
Vice President Intelligence
Vice President External Relations
Obama for America
Deputy Campaign Manager
Deputy Media Director
Assistant to the Campaign Manager
Deputy Field Director
HR Regional Manager
Battleground State Director
The White House, 2008–2016
Deputy Counsel for the President
Deputy Assistant Secretary of Defense for Russia/Ukraine/Eurasia
Assistant to the Political Director
Advance Associate for the First Lady
Advance Associate for the President
Presidential Personnel Office
Department of State, 2008–2016
United States Ambassador to Russia
Deputy Assistant Secretary for Bureau of European and Eurasian Affairs
Assistant Secretary of State for European and Eurasian Affairs
Foreign Affairs Officer for Office of Weapons Of Mass Destruction Terrorism
Department of Energy, 2008–2016
Assistant Secretary for the Office of International Affairs
Deputy Assistant Secretary for Asia and the Americas
Director for Office of Nuclear Threat Science