The doc attachment contacts a link, exploiting the Equation Editor vulnerability, and downloads an exe: the malware. Data is then exfiltered via SMTP to an email address.
Microsoft: Cyber warfare against U.S. political targets is growing as the elections approach, both against the Trump and Biden campaigns
Cyber warfare against U.S. political targets is growing as the elections approach. It has been denounced by Microsoft cyber security experts. In recent weeks, the company detected cyber attacks targeting people and organizations involved in the upcoming presidential election, including unsuccessful attacks on people associated with both the Trump and Biden campaigns. The activity we makes clear that foreign activity groups have stepped up their efforts targeting the 2020 election as had been anticipated, and is consistent with what the U.S. government and others have reported. Moreover, there are other institutions and enterprises worldwide hit with a similar adversary activity.
The cyber security experts: The worst threats come from well known actors: Strontium, Zirconium and Phosphorus
According the cyber security experts, the worst cyber warfare threats come from well known state-sponsored actors. Strontium, operating from Russia, has attacked more than 200 organizations including political campaigns, advocacy groups, parties and political consultants. Zirconium, operating from China, has attacked high-profile individuals associated with the election, including people associated with the Joe Biden for President campaign and prominent leaders in the international affairs community. Phosphorus, operating from Iran, has continued to attack the personal accounts of people associated with the Donald J. Trump for President campaign. Researchers confirmed that what they’ve seen is consistent with previous attack patterns that not only target candidates and campaign staffers but also those they consult on key issues.
The Strontium efforts
Strontium is launching campaigns to harvest people’s log-in credentials or compromise their accounts, presumably to aid in intelligence gathering or disruption operations. Many of Strontium’s targets in this campaign, which has affected more than 200 organizations in total, are directly or indirectly affiliated with the upcoming U.S. election as well as political and policy-related organizations in Europe. These targets include: U.S.-based consultants serving Republicans and Democrats; Think tanks such as The German Marshall Fund of the United States and advocacy organizations; National and state party organizations in the U.S.; and The European People’s Party and political parties in the UK. Others targeted recently include businesses in the entertainment, hospitality, manufacturing, financial services and physical security industries.
The Russian APT tools and TTPs
Strontium has evolved its tactics since the 2016 election to include new reconnaissance tools and new techniques to obfuscate their operations. In 2016, the group primarily relied on spear phishing to capture people’s credentials. In recent months, it has engaged in brute force attacks and password spray, two tactics that have likely allowed them to automate aspects of their operations. Strontium also disguised these credential harvesting attacks in new ways, running them through more than 1,000 constantly rotating IP addresses, many associated with the Tor anonymizing service. Strontium even evolved its infrastructure over time, adding and removing about 20 IPs per day to further mask its activity.
China state-sponsored hackers launched thousands of attacks between March 2020 and September 2020 resulting in nearly 150 compromises
Microsoft detected thousands of attacks from Zirconium between March 2020 and September 2020 resulting in nearly 150 compromises. Its targets have included individuals in two categories. First, people closely associated with U.S. presidential campaigns and candidates. For example, it appears to have indirectly and unsuccessfully targeted the Joe Biden for President campaign through non-campaign email accounts belonging to people affiliated with the campaign. The group has also targeted at least one prominent individual formerly associated with the Trump Administration. Second, prominent individuals in the international affairs community, academics in international affairs from more than 15 universities, and accounts tied to 18 international affairs and policy organizations including the Atlantic Council and the Stimson Center.
The Zirconium “style”
Zirconium is using what are referred to as web bugs, or web beacons, tied to a domain they purchased and populated with content. The actor then sends the associated URL in either email text or an attachment to a targeted account. Although the domain itself may not have malicious content, the web bug allows Zirconium to check if a user attempted to access the site. For nation-state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.
Iranian threat actor unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff
Phosphorus has attempted to access the personal or work accounts of individuals involved directly or indirectly with the U.S. presidential election. Between May and June 2020, the Iranian threat actor unsuccessfully attempted to log into the accounts of administration officials and Donald J. Trump for President campaign staff.