The U.S. military, defense contractors, government agencies, think tanks, the media and others are being targeted in wave of spear phishing emails potentially launched by a Russian hacker group, researchers with the cyber security firm FireEye [FEYE] say in a new blog post.
FireEye detected the spear phishing on Nov. 20, saying the activity is the same as a previous targeted phishing campaign by APT29, also known as Cozy Bear, but attribution is pending. If it turns out that APT29 is the group behind the emails, it would be the first that has been detected in more than a year.
“Given the widespread nature of the targeting, organizations that have previously been targeted by APT29 should take note of this activity,” the Nov. 19 blog post says. “For network defenders, whether or not this activity was conducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical importance if the elusive and deceptive APT29 operators indeed had access to your environment.”
FireEye says that it detected the spear phishing activity on more than 20 of its clients in multiple industries.
The attack is being made to look like a secure communication from a public affairs official at the U.S. State Department with the emails being launched apparently from a compromised email provider for a hospital and a consulting company.
FireEye says that the markers that indicate APT29 may be behind the attack include “the resources invested in the phishing email and network infrastructure, the metadata from the weaponized shortcut file payload, and the specific individuals and organizations targeted.” These characteristics are the same as a previous phishing campaign by APT29 that began in November 2016, it says.