CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

CozyDuke APT Behind White House, State Department Attacks: Kaspersky

An advanced persistent threat (APT) actor dubbed “CozyDuke” (also known as CozyBear and CozyCar) is believed to be responsible for recent cyberattacks targeting the US Department of State and the White House, according to Kaspersky Lab.

An advanced persistent threat (APT) actor dubbed “CozyDuke” (also known as CozyBear and CozyCar) is believed to be responsible for recent cyberattacks targeting the US Department of State and the White House, according to Kaspersky Lab.

In a blog post containing numerous technical details on the group’s tools and activities, Kaspersky researchers revealed that the APT actor targeted various high-profile organizations in the second half of 2014.

According to the security firm, CozyDuke shares similarities with components spotted in previously documented APTs such as MiniDuke, CosmicDuke and OnionDuke.

In some of its attacks, CozyDuke used spear-phishing emails containing links to compromised websites hosting malware. In other operations, the attackers relied on malicious Flash videos attached directly to emails in order to deliver malware.

“A clever example is ‘Office Monkeys LOL Video.zip’. The executable within not only plays a flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently,“ Kaspersky researchers explained.

Once it infects a system, the malware checks for the presence of security products from Kaspersky, Crystal Security, Sophos, Dr. Web, Avira, and Comodo. Researchers have noted that many of the malware components used in CozyDuke attacks are signed with fake Intel and AMD digital certificates.

Kaspersky experts have determined that one of the second stage CozyDuke modules has been built on the same platform as the OnionDuke malware family. Evidence suggests that the authors of CozyDuke and OnionDuke are either the same or they work together. Similarities have also been identified between CozyDuke and MiniDuke, and the command and control (C&C) server communication methods used by CozyDuke are similar to the ones seen at CosmicDuke.

“[CozyDuke’s] custom backdoor components appear to slightly evolve over time, with modifications to anti-detection, cryptography, and trojan functionality changing per operation. This rapid development and deployment reminds us of the APT28/Sofacy toolset, especially the coreshell and chopstick components,” Kaspersky researchers noted.

Advertisement. Scroll to continue reading.

While Kaspersky hasn’t mentioned anything about the CozyDuke threat group’s affiliations, the media reports on the State Department and White House attacks named Russia as the main suspect. Furthermore, MiniDuke and OnionDuke are believed to have Russian roots.

Kaspersky Lab isn’t the first company to publish a report on the activities of the CozyDuke APT group. Back in March, a couple of Poland-based security firms published some technical details on the threat actor’s activities after it was seen targeting Polish government institutions.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.