Connect with us

Hi, what are you looking for?



Cyberspies Launch U.S. Attacks Hours After Trump Elected

Just hours after Donald Trump was elected president of the United States, researchers spotted a series of election-themed spear-phishing attacks aimed at think tanks and non-governmental organizations (NGOs) in the U.S.

Just hours after Donald Trump was elected president of the United States, researchers spotted a series of election-themed spear-phishing attacks aimed at think tanks and non-governmental organizations (NGOs) in the U.S.

According to security firm Volexity, the attacks were launched by a Russia-linked threat group known as The Dukes, APT29, Cozy Bear and Cozy Duke. This and another actor believed to be sponsored by the Russian government, known as Pawn Storm and Fancy Bear, are suspected of launching attacks against the U.S. Democratic Party before the presidential election.

Volexity said the Dukes sent out spear-phishing emails from Gmail accounts and compromised email accounts at Harvard’s Faculty of Arts and Sciences (FAS). The targeted users specialize in national security, international affairs, defense, public policy, and European and Asian studies.

The Dukes has been targeting think tanks and NGOs in the United States since July 2015. However, in August 2016, the attackers started using a new piece of malware, which Volexity has dubbed “PowerDuke.”

Unlike in previous attacks, which involved ZIP files containing malicious executables, the threat group delivered PowerDuke via emails carrying macro-enabled Word and Excel documents. The malicious documents were set up to install a downloader designed to fetch the PowerDuke backdoor.

PowerDuke was also used in attacks launched in October and the ones observed on November 9, after the presidential election in the U.S.

The first attack wave spotted after the elections involved fake eFax emails titled “The Shocking Truth About Election Rigging in the United States.” This wave was similar to earlier attacks where the APT actor used links pointing to ZIP files to deliver its backdoors.

Advertisement. Scroll to continue reading.

The second attack used the same eFax theme, but the emails were titled “Elections Outcome Could Be Revised [Facts of Elections Fraud]” and they delivered PowerDuke via macro-enabled documents.

The third wave involved emails coming from a address and messages apparently sent via the “Harvard PDF Mobile Service.” Titled “Why American Elections Are Flawed,” these emails also carried PowerDuke malware.

The next two waves also leveraged Harvard FAS email addresses and they appeared to be forwarded from someone at the Clinton Foundation. The hacker calling himself Guccifer 2.0, which experts believe could be a persona used by Russian cyberspies, claimed in October that he had hacked the Clinton Foundation, but the organization refuted the claims.

PowerDuke, which is deployed on a system only after anti-analysis checks are conducted, is capable of collecting information about the infected device, creating and terminating processes, downloading and uploading files, and obtaining text from the current window. The backdoor is hidden in innocent-looking PNG image files and some of its components are loaded only in memory.

The U.S. has officially accused Russia of launching cyberattacks in an effort to interfere with the presidential election. Washington has vowed to respond and some officials even claim the U.S. has already hacked Russia’s critical infrastructure. Moscow has demanded an explanation for these reports.

Related: Clinton – ‘Grave’ Concern Russia Interfering in U.S. Elections

Related: Russia Hacks U.S. Networks ‘All the Time’, Says Spy Chief

Related: State Election System Hacking Linked to Previous Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...