CozyDuke hackers targeting prominent US targets
Russian speakers offer up spoofed emails, ZIPs and malware
A newly discovered group of cyber-spies are closely targeting high profile US targets, possibly including both the White House and the State Department.
The so-called CozyDuke hackers make extensive use of spear-phishing, sometimes using emails containing a link to a hacked (otherwise legitimate) websites such as "diplomacy.pl".
The spoofed emails invite marks to open a ZIP archive with malware inside. Other tactics in play include phony Flash videos and spamming out email attachments with malicious executables.
CozyDuke (AKA CozyBear or "Office Monkeys") became increasingly active in the second half of 2014, according to security researchers at Russian security firm Kaspersky Labs.
The presumably state-sponsored spies make extensive use of crypto and anti-detection by anti-virus capabilities.
The toolset used by the CozyDuke hackers has strong similarities with the MiniDuke, CosmicDuke and OnionDuke cyber-espionage campaigns – all operations believed to have Russian-speaking authors behind them, as Kaspersky Lab notes.
It's mostly focused on the US but CozyDuke's targets also includes government organisations and commercial entities in Germany, South Korea and Uzbekistan.
Kurt Baumgartner, principal security researcher at Kaspersky Lab’s Global Research and Analysis Team, explained that it had been monitoring both MiniDuke and CosmicDuke for couple of years and that CozyDuke was "definitely connected" to these campaigns.
"CozyDuke is definitely connected to these two campaigns, as well as to the OnionDuke cyberespionage operation," he said. "Every one of these threat actors continues to track their targets, and we believe their espionage tools are all created and managed by Russian-speakers.”