CozyDuke Operators Masterminded White House, State Department Attacks: Kaspersky

A sophisticated threat group christened "CozyDuke", also infamously nicknamed 'CozyBear' and 'CozyCar', is probably the mastermind of last year's cyber attacks against the US White House and the its State Department, according to security firm Kaspersky.

In October last year, news of first cyber attack made breaking headlines as it was alleged that the White House is supposedly probing an internal security breach, allegedly sponsored by a rival nation. Then in November 2014, Department of State officials downed the email network after infiltration in parts of a machine used for managing unclassified email emerged.

Kaspersky security experts disclosed that the APT threat actors exploited numerous high-end businesses in the latter half of 2014.

Interestingly, the malware CozyDuke is very much alike to components intercepted in previously analyzed APTs like MiniDuke, OnionDuke and CosmicDuke.

Similar to other APTs, the malware (CozyDuke) is kicked off with the help of a usual spear phishing campaign. Emails contain URLs to a hijacked version of an authentic site that's engineered for hosting a ZIP file, which involves a RAR SFX that after installing the malware goes on to display a blank PDF.

In another example, criminals dispatch an email with an attachment supposedly a 'flash video'. Once clicked open a flash video started playing, which as the title proposes, shows chimpanzees sporting ties.

These videos are enthusiastically shared around offices with systems becoming infected silently in the background, explained Security Researchers Kurt Baumgartner and Costin Raiu of Kaspersky Lab, as published by threatpost.com on April 22, 2015.

Kaspersky noted that the crooks made use of anti-detection abilities.

And while Kaspersky researchers with-held the probable origin of CozyDuke's operators, security firms that have formerly analyzed MiniDuke, OnionDuke and CosmicDuke, have a strong perception that its controlled by the Russian government.

The probable connection between last year's State Department breach and Russian cybercriminals has been brought out before too. In February this year, the WSJ (Wall Street Journal) carried a report that said five anonymous individuals familiar to the infiltration scandal had witnessed or had been informed about connections between the malware employed in the breach and the Russians.

» SPAMfighter News - 4/28/2015