Just hours after Donald Trump was elected president of the United States, researchers spotted a series of election-themed spear-phishing attacks aimed at think tanks and non-governmental organizations (NGOs) in the U.S.
According to security firm Volexity, the attacks were launched by a Russia-linked threat group known as The Dukes, APT29, Cozy Bear and Cozy Duke. This and another actor believed to be sponsored by the Russian government, known as Pawn Storm and Fancy Bear, are suspected of launching attacks against the U.S. Democratic Party before the presidential election.
Volexity said the Dukes sent out spear-phishing emails from Gmail accounts and compromised email accounts at Harvard’s Faculty of Arts and Sciences (FAS). The targeted users specialize in national security, international affairs, defense, public policy, and European and Asian studies.
The Dukes has been targeting think tanks and NGOs in the United States since July 2015. However, in August 2016, the attackers started using a new piece of malware, which Volexity has dubbed “PowerDuke.”
Unlike in previous attacks, which involved ZIP files containing malicious executables, the threat group delivered PowerDuke via emails carrying macro-enabled Word and Excel documents. The malicious documents were set up to install a downloader designed to fetch the PowerDuke backdoor.
PowerDuke was also used in attacks launched in October and the ones observed on November 9, after the presidential election in the U.S.
The first attack wave spotted after the elections involved fake eFax emails titled “The Shocking Truth About Election Rigging in the United States.” This wave was similar to earlier attacks where the APT actor used links pointing to ZIP files to deliver its backdoors.
The second attack used the same eFax theme, but the emails were titled “Elections Outcome Could Be Revised [Facts of Elections Fraud]” and they delivered PowerDuke via macro-enabled documents.
The third wave involved emails coming from a fas.harvard.edu address and messages apparently sent via the “Harvard PDF Mobile Service.” Titled “Why American Elections Are Flawed,” these emails also carried PowerDuke malware.
The next two waves also leveraged Harvard FAS email addresses and they appeared to be forwarded from someone at the Clinton Foundation. The hacker calling himself Guccifer 2.0, which experts believe could be a persona used by Russian cyberspies, claimed in October that he had hacked the Clinton Foundation, but the organization refuted the claims.
PowerDuke, which is deployed on a system only after anti-analysis checks are conducted, is capable of collecting information about the infected device, creating and terminating processes, downloading and uploading files, and obtaining text from the current window. The backdoor is hidden in innocent-looking PNG image files and some of its components are loaded only in memory.
The U.S. has officially accused Russia of launching cyberattacks in an effort to interfere with the presidential election. Washington has vowed to respond and some officials even claim the U.S. has already hacked Russia’s critical infrastructure. Moscow has demanded an explanation for these reports.