With half of America celebrating the victory of the Republicans and President-elect Trump, and the other half mourning the result, a targeted phishing campaign engulfed various US think tanks and NGOs the week.
Security firm Volexity spotted the attack, which began around six hours after the President-elect clinched the necessary electoral votes. The phishing emails were sent using a mix of Gmail accounts and from compromised email accounts at Harvard's Faculty of Arts and Sciences (FAS). Five waves of malware were sent out in the attack.
"Three of the five attack waves contained links to download files from domains that the attackers appear to have control over," the firm said in an advisory. "The other two attacks contained documents with malicious macros embedded within them. Each of these different attack waves were slightly different from one another."
The phishing emails were all election themed. Two claimed to have come from the Clinton Foundation with news about the results, two others claimed to have evidence that the election had been rigged, and one offered apparent post-election analysis.
Volexity said that it believes the messages were sent by the APT29 hacking crew, which is thought to be run by, or in close conjunction with, Russian state-sponsored hackers. The gang is linked to the shadowy figures behind the attack on the Democratic National Committee and other attacks on government databases and NGOs.
The attacks all use the PowerDuke malware, which is extremely sophisticated both in its infection style and in concealing its presence. The toolkit makes a wide variety of commands available to the malware operators and hides backdoor access in PNG files.
"The group's anti-virtual-machine macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure," the advisory states.
"Volexity believes that the Dukes are likely working to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future." ®