Suspected APT29 Phishing Campaign Targets Multiple Industries
According to analysis by cybersecurity firm FireEye, a recent phishing campaign targeting multiple government and critical infrastructure sector entities may be attributed to APT29, a known advanced persistent threat group. First detected on November 14, the phishing emails appear to come from a public affairs official at the US Department of State (DOS) and include a link to a ZIP archive containing a malicious Windows shortcut file that delivers the Cobalt Strike Beacon backdoor and a US DOS decoy document. The actors are believed to have compromised the email server of a hospital and the website of a consulting firm to use as their infrastructure for sending the phishing emails. Targeted industries include defense contractors, imagery, law enforcement, media, national government, pharmaceuticals, think tanks, transportation, and the US military. The NJCCIC recommends those that may be considered high-value targets for APT operations review the FireEye report for technical details; tactics, techniques, and procedures (TTPs); and associated indicators of compromise (IOCs). Organizations are advised to educate end users on this and similar threats; implement a defense-in-depth cybersecurity strategy; employ the Principle of Least Privilege; and keep anti-virus/anti-malware, hardware, and software updated.