Connect with us

Hi, what are you looking for?



Cyberspies Launch U.S. Attacks Hours After Trump Elected

Just hours after Donald Trump was elected president of the United States, researchers spotted a series of election-themed spear-phishing attacks aimed at think tanks and non-governmental organizations (NGOs) in the U.S.

Just hours after Donald Trump was elected president of the United States, researchers spotted a series of election-themed spear-phishing attacks aimed at think tanks and non-governmental organizations (NGOs) in the U.S.

According to security firm Volexity, the attacks were launched by a Russia-linked threat group known as The Dukes, APT29, Cozy Bear and Cozy Duke. This and another actor believed to be sponsored by the Russian government, known as Pawn Storm and Fancy Bear, are suspected of launching attacks against the U.S. Democratic Party before the presidential election.

Volexity said the Dukes sent out spear-phishing emails from Gmail accounts and compromised email accounts at Harvard’s Faculty of Arts and Sciences (FAS). The targeted users specialize in national security, international affairs, defense, public policy, and European and Asian studies.

The Dukes has been targeting think tanks and NGOs in the United States since July 2015. However, in August 2016, the attackers started using a new piece of malware, which Volexity has dubbed “PowerDuke.”

Unlike in previous attacks, which involved ZIP files containing malicious executables, the threat group delivered PowerDuke via emails carrying macro-enabled Word and Excel documents. The malicious documents were set up to install a downloader designed to fetch the PowerDuke backdoor.

PowerDuke was also used in attacks launched in October and the ones observed on November 9, after the presidential election in the U.S.

The first attack wave spotted after the elections involved fake eFax emails titled “The Shocking Truth About Election Rigging in the United States.” This wave was similar to earlier attacks where the APT actor used links pointing to ZIP files to deliver its backdoors.

Advertisement. Scroll to continue reading.

The second attack used the same eFax theme, but the emails were titled “Elections Outcome Could Be Revised [Facts of Elections Fraud]” and they delivered PowerDuke via macro-enabled documents.

The third wave involved emails coming from a address and messages apparently sent via the “Harvard PDF Mobile Service.” Titled “Why American Elections Are Flawed,” these emails also carried PowerDuke malware.

The next two waves also leveraged Harvard FAS email addresses and they appeared to be forwarded from someone at the Clinton Foundation. The hacker calling himself Guccifer 2.0, which experts believe could be a persona used by Russian cyberspies, claimed in October that he had hacked the Clinton Foundation, but the organization refuted the claims.

PowerDuke, which is deployed on a system only after anti-analysis checks are conducted, is capable of collecting information about the infected device, creating and terminating processes, downloading and uploading files, and obtaining text from the current window. The backdoor is hidden in innocent-looking PNG image files and some of its components are loaded only in memory.

The U.S. has officially accused Russia of launching cyberattacks in an effort to interfere with the presidential election. Washington has vowed to respond and some officials even claim the U.S. has already hacked Russia’s critical infrastructure. Moscow has demanded an explanation for these reports.

Related: Clinton – ‘Grave’ Concern Russia Interfering in U.S. Elections

Related: Russia Hacks U.S. Networks ‘All the Time’, Says Spy Chief

Related: State Election System Hacking Linked to Previous Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.