Hackers associated with Russian intelligence recently began impersonating U.S. State Department employees as part of a scheme targeting potential victims across several critical sectors, catching cybersecurity experts by surprise nearly two years since the suspected state-sponsored group last surfaced.
Major cybersecurity firms including FireEye and CrowdStrike independently acknowledged detecting a wave of sudden malicious activity this week likely caused by “Cozy Bear,” an advanced persistent threat (APT) group previously linked to Russia’s Foreign Intelligence Service.
Beginning on Wednesday this week, customers of either firm were targeted by a wide-scale spear-phishing campaign that attempted to infect their computers with malware, researchers reported.
More than 20 of FireEye’s customers were targeted, according to the company, including recipients associated with defense, law enforcement, local government, media, military, pharmaceutical, think tank, transportation and U.S. public sector industries.
CrowdStrike similar reported associated activity targeting customers involved in think tanks, law enforcement, government and business information services, the firm said Friday.
“These messages purported to be from an official with the U.S. Department of State and contained links to a compromised legitimate website,” said Adam Meyers, vice president of intelligence at CrowdStrike.
“Attribution for this activity is still in progress; however, the Tactics, Techniques, and Procedures (TTPs) and targeting are consistent with previously identified campaigns from the Russia-based actor COZY BEAR,” Mr. Meyers told The Washington Times.
FireEye said its analysis suggests possible ties to the same group, also known by names including APT29 and “CozyDuke,” among other.
Analysis determined that the hacking group conducted the campaign by initially breaching a hospital and a consulting company, then using their infrastructure to send phishing emails masqueraded as messages from the State Department, FireEye researcher Nick Carr told Reuters.
The emails purportedly came from a State Department public affairs specialist and encouraged recipients to download a document supposedly from Heather Nauert, President Trump’s rumored pick for ambassador to the United Nations, Reuters reported.
It was not clear if any of the recipients downloaded the file, but FireEye said that the document contained malware that could have opened up their computers to hackers.
In a statement, the State Department said it “is aware of the recent malicious cyber event involving the spoofing (impersonation) of a Department employee reported by U.S. cybersecurity firm FireEye. No Department networks were compromised by this malicious cyber attempt,” The Associated Press reported.
Security experts including Dutch intelligence have previously connected Cozy Bear to the Russian government, and its hackers are suspected of breaching Democratic National Committee computers during what U.S. officials have assessed to be state-sponsored attempt to meddle in the 2016 elections.
Cozy Bear has been quiet for nearly two years, however, either hibernating and silently acting off the radar of researchers. While active as early as 2008, according to Russian cybersecurity firm Kaspersky Lab, Cozy Bear has not publicly linked to any campaigns since early 2018, when the group was accused of targeting several Dutch and Norwegian government agencies.
Representatives for the Russian Embassy in Washington, D.C. did not immediately return a message seeking comment sent over the weekend.