Category Archives: russia

Business Email Compromise (BEC) Criminal Ring

A criminal group called Cosmic Lynx seems to be based in Russia:

Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari, particularly targeting senior executives at large organizations and corporations in 46 countries. Cosmic Lynx specializes in topical, tailored scams related to mergers and acquisitions; the group typically requests hundreds of thousands or even millions of dollars as part of its hustles.


For example, rather than use free accounts, Cosmic Lynx will register strategic domain names for each BEC campaign to create more convincing email accounts. And the group knows how to shield these domains so they're harder to trace to the true owner. Cosmic Lynx also has a strong understanding of the email authentication protocol DMARC and does reconnaissance to assess its targets' specific system DMARC policies to most effectively circumvent them.

Cosmic Lynx also drafts unusually clean and credible-looking messages to deceive targets. The group will find a company that is about to complete an acquisition and contact one of its top executives posing as the CEO of the organization being bought. This phony CEO will then involve "external legal counsel" to facilitate the necessary payments. This is where Cosmic Lynx adds a second persona to give the process an air of legitimacy, typically impersonating a real lawyer from a well-regarded law firm in the United Kingdom. The fake lawyer will email the same executive that the "CEO" wrote to, often in a new email thread, and share logistics about completing the transaction. Unlike most BEC campaigns, in which the messages often have grammatical mistakes or awkward wording, Cosmic Lynx messages are almost always clean.

Idle Threats Or a Harbinger of Things to Come?

According to recent reporting, a suspected nation state hacker group with alleged ties to the Iranian government issued death threats to researchers that had detected their cyber espionage activity.  The researchers were checking a server that they believed to be associated with a specific data breach when they received the message “Stop!!! I Kill You Researcher.”  According to the same report, the server was apparently attached to the attackers’ command-and-control infrastructure.  Active since 2015, the group known as “MuddyWaters” has been observed targeting organizations in Georgia, India, Iraq, Pakistan, Saudi Arabia, Tajikistan, Turkey, and the United States.  Recently, MuddyWaters has been observed targeting oil and gas entities in the Middle East.  Notably, the group is believed to employ “false flag” operations – similar to what was believed to have been done during the recent Olympics – in which it adopted some of the tactics, techniques, and procedures (TTP) of suspected Chinese hackers to obfuscate the group’s true identity.


On the surface, the threat made against the researchers can be viewed as knee-jerk reaction to being tracked by the private sector.  But this does raise the possibility of what hostile actors may resort to in the future.  The private sector computer security has been aggressively investigating the activities of suspected nation states actors since 2004 when the first report published the activities of a Chinese state entity.  Since that time, several subsequent reports have been provided to the public detailing “advanced persistent threat” operations detailing TTPs and targeting that have ultimately been attributed to specific nation state actors.  While the standard public reaction of these governments has been to refute or deny the claims, citing the difficulties in providing adequate evidence that supports attribution, sanctions and alleged retaliatory strikes have been know to occur as a result of these accusations.


The potential of escalatory cyber strikes in response to actions is a real concern and one that has been raised in the press.  One reason the United States, for example, has not retaliated against suspected Russian involvement in the 2016 U.S. presidential election is not knowing how such an adversary may reciprocate any retaliatory strike against its interests.  This is a very legitimate concern, as cyberspace activities are still relatively new, and that nation states around the world are eagerly trying to buy, develop, or acquire an offensive cyber capability.


And this is where thinking may be too narrowly focused.  A state or non-state entity does not have to resort to cyberspace to retaliate against an attack that it has suffered in cyberspace.  It is not a one-for-one arrangement.  Threatening to retaliate in the physical world provides another potential attack vector that needs to be considered.  After all, many of the vendor APT reports that are published often contain the names of those involved in the report – individuals that likely have a footprint on the Internet. These attackers can find out their personal identifiable information and either post it for others to target, or else use it for their own purposes.  Doxxing – or disclosing the PII of victims – has long been a weapon in the hacktivist arsenal.  In 2016, the United Cyber Caliphate published “kill lists” of U.S. military personnel to encourage ISIS sympathizers and lone wolfs to commit acts of violence against them.  Although to date, there is no known attack resulting from disclosures such as this, it bears noting if that may transpire in the future.


Nation states have been suspected of carrying out physical attacks on specific individuals. Recently, a Russian spy is believed to have been poisoned at the behest of the Russian government. In 2017, suspected North Korean agents used poison on Kim Jong Un’s brother at a Malaysian airport. Granted, these attacks weren’t the result of cyber activity, but it does demonstrate that the capability is there if the intent is present.  Giving the fact that Iran is largely considered the world’s leading nation state supporter of terrorism, it has a large network of agents to call upon to target individuals it may view as threatening to their interests.  Iran has been suspected of conducting “assassinations” in the past, a claim that it has denied.


For the time being, this appears to be a one-time threat.  But how nation states respond to cyber attacks and significant cyber incidents can influence on what accused governments may do in response to any retaliation.  Let’s hope that this confluence between cyber space and the physical world remain theoretical and not a harbinger of things to come.


This is a guest post written by Emilio Iasiello

The post Idle Threats Or a Harbinger of Things to Come? appeared first on

DHS and FBI Joint Analysis Report Confirms FireEye’s Assessment that Russian Government Likely Sponsors APT28 and APT29

On Dec. 29, 2016, the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) released a Joint Analysis Report confirming FireEye’s long held public assessment that the Russian government likely sponsors the groups that we track as Advanced Persistent Threat (APT) 28 and APT29. We have tracked and profiled these groups through multiple investigations, endpoint and network detections, and continuous monitoring, allowing us to understand the groups’ malware, operational changes and motivations. This intelligence has been critical to protecting and informing our clients and exposing this threat.

FireEye first publicly announced that the Russian government likely sponsors APT28 in a report released in October 2014. APT28 has pursued military and political targets in the U.S. and globally, including U.S. political organizations, anti-doping agencies, NGOs, foreign and defense ministries, defense attaches, media outlets, and high profile government and private sector entities. Since at least 2007, APT28 has conducted operations using a sophisticated set of malware that employs a flexible, modular framework allowing APT28 to consistently evolve its toolset for future operations. APT28’s operations closely align with Russian military interests and the 2016 breaches, and pursuant public data leaks demonstrate the Russian government's wide-ranging approach to advancing its strategic political interests.

In July 2015, we released a report focusing on a tool used by APT29, malware that we call HAMMERTOSS. In detailing the sophistication and attention to obfuscation evident in HAMMERTOSS, we sought to explain how APT29’s tool development effort defined a clandestine, well-resourced and state-sponsored effort. Additionally, we have observed APT29 target and breach entities including government agencies, universities, law firms and private sector targets. APT29 remains one of the most capable groups that we track, and the group’s past and recent activity is consistent with state espionage.

The Joint Analysis Report also includes indicators for another group we (then iSIGHT Partners) profiled publicly in 2014: Sandworm Team. Since 2009, this group has targeted entities in the energy, transportation and financial services industries. They have deployed destructive malware that impacted the power grid in Ukraine in late 2015 and used related malware to affect a Ukrainian ministry and other financial entities in December 2016. Chiefly characterized by their use of the well-known Black Energy trojan, Sandworm Team has often retrofitted publicly available malware to further their offensive operations. Sandworm Team has exhibited considerable skill and used extensive resources to conduct offensive operations.