Spear phishing isn’t a new tactic hackers use to get access to networks and IT systems. But according to malware researchers at Palo Alto Networks’ Unit 42, it’s still being used against government agencies, though in a new way.
The Sofacy group — a well-known hacking outfit also known as APT28 that security researchers have linked to the Russian government — carried out the recent attack, according to Palo Alto.
It’s unclear which federal agencies have been targeted in the attack. Palo Alto is not saying which agencies are involved or if an employee clicked on an email that unleashed the malware, according to FCW. Spear-phishing involves hackers sending an email that appears to be (but isn’t) from an individual or business that users know; the hackers gain access to a user’s files when the user clicks on the email.
Federal Times reports: “In late May, Unit 42 researchers discovered a spear-phishing email sent to U.S. officials purporting to be from an official from another country’s Ministry of Foreign Affairs. The email included an attachment referencing a joint NATO operation with the U.S. and Georgia, though it actually contained malicious code meant to “gain an initial foothold on the system.”
A New King of Attack
According to a blog post from Palo Alto, Unit 42’s “analysis of the attack revealed a high likelihood that the sender’s email address was not spoofed and is instead a result of a compromised host or account belonging to that Ministry.”
The email contained an RTF file as an attachment, which served as a “weaponized document that attempts” to load a Trojan horse virus onto the target’s computer. The Trojan then executes another file, which is a variant of the Sofacy Trojan.
“Surprisingly, unlike many other espionage actors who display decoy documents after successful exploitation, this RTF document does not drop or open a decoy document after exploiting the vulnerability,” Palo Alto says.
Despite that, the researchers observed the delivery document creating a very interesting registry key that it uses for persistence to run the Trojan. Instead of running the file that executes the Trojan when the user starts his or her computer up, it starts running when they open a Microsoft Office application.
“This is the first time Unit 42 has seen the Sofacy group, or any other threat group for that matter, use this tactic for persistence purposes,” the researchers say. “An added benefit for the threat actor to using this specific tactic for persistence is that it requires user interaction to load and execute the malicious payload, which can cause challenges for detection in automated sandboxes.”
Bryan Lee, a threat intelligence analyst at Palo Alto, told FCW that the Sofacy group is akin to a “bull in the china shop” because the hackers reuse a large amount of their code and sometimes do not hide their activities well.
“The Sofacy group continues its attack campaigns on government organizations, specifically the U.S. government in this latest spear-phishing example,” the Palo Alto researchers say. “The threat group added a new persistence mechanism that requires user interaction by loading its payload into Microsoft Office applications when opened, which may help the actors to evade detection. The use of this new persistence method shows the continued development of tactics and techniques employed by this threat group, often times in clever ways as we observed in this instance.
Best Practices for Spear-Phishing Defense
There are some common best practices federal agencies and their IT staffs can take advantage of to combat spear-phishing attacks.
For example, researchers at security firm FireEye said, “security teams must first train users to recognize, avoid and report suspicious emails — it is important for every employee to recognize that their roles grant them access to different data, the currency of the information economy.”
IT security teams also need to “implement, maintain and update security technology and processes to prevent, detect and respond to ever-evolving spear-phishing threats,” FireEye says, adding that they need to invest in “actively updated threat intelligence and expertise to meet their needs.”
As CSO Online reports, other tactics include deploying security solutions that check the safety of an emailed link when a user clicks on it, known as inbox sandboxing. Another tool agencies can use is intelligent gateways that analyze traffic in real time. Finally, as always, agencies need to educate employees on the dangers of spear-phishing.
Meanwhile, FCW reports that Defense Department officials are “penalizing DOD users who succumb to the trick emails. The department has also neutered links in emails, forcing users to copy and paste URLs.”