A group of Russian hackers known as CozyDuke has been identified as being responsible for a sustained cyber attack against the White House.
Researchers at Russian-based Kaspersky Lab has published its latest findings about the advanced persistent threat (APT) actor known as CozyDuke and while the security firm has stopped short of explicitly attributing blame on any one country, corroborating evidence indicates that the Russian government is behind attacks on the White House and the Department of State – something US officials had previously claimed.
When initially reported in October US officials said no sensitive information had been accessed, but in April, sources at the White House said the hackers had gained access to President Obama’s schedule which, while not classified, is seen as highly prized by foreign intelligence agencies.
The group, also known as CozyBear, CozyCar or “Office Monkeys”, has been linked by Kaspersky Lab to other APT groups – OnionDuke, MiniDuke and CosmicDuke – which have previously been linked to the Russian government.
In July 2014, CosmicDuke was revealed as a state-sponsored malware campaign targeting users in Ukraine as part of Russia’s on-going cyber-espionage campaign. The command-and-control communication methods used by CozyDuke are similar to those used in the CosmicDuke attacks according to Kaspersky Labs.
The researchers add that parts of the CozyDuke malware has been built on the same platform as OnionDuke and MiniDuke, both of which are believed to be groups of Russian hackers operating at the behest of the Russian government.
Office Monkeys LOL
Last year it was reported that hackers had shut down the email system of the Executive Office of the President with White House officials, claiming the attack was state-sponsored and three months later the attackers were still present on the non-classified network.
Kaspersky says the group goes after “blatantly sensitive high profile victims and targets” utilizing “evolving crypto and anti-detection capabilities”.
The main attack vector was spear phishing campaigns some of which contain links to high profile, legitimate websites such as “diplomacy.pl” which hosted a Zip archive.
Once downloaded the extracted Zip archive contains a file which installs the malware as well as a decoy file showing an empty PDF.
Another “highly successful” attack saw the hackers send a phone flash videos attached to the phishing emails, one of which was a video called “Office Monkeys LOL Video.zip”. When the victim clicks on the link the video plays, but in the background the malware is installed on the system.
Kaspersky Lab has published reports on alleged electronic espionage by the U.S., Israel, and the U.K.—but hasn’t looked as aggressively at Russia
Kaspersky Lab sells security software, including antivirus programs recommended by big-box stores and other U.S. PC retailers. The Moscow-based company ranks sixth in revenue among security-software makers, taking in $667 million in 2013, and is a favorite among Best Buy’s Geek Squad technicians and reviewers on Amazon.com. Founder and Chief Executive Officer Eugene Kaspersky was educated at a KGB-sponsored cryptography institute, then worked for Russian military intelligence, and in 2007, one of the company’s Japanese ad campaigns used the slogan “A Specialist in Cryptography from KGB.” The sales tactic, a local partner’s idea, was “quickly removed by headquarters,” according to Kaspersky Lab, as the company recruited senior managers in the U.S. and Europe to expand its business and readied an initial public offering with a U.S. investment firm.
In 2012, however, Kaspersky Lab abruptly changed course. Since then, high-level managers have left or been fired, their jobs often filled by people with closer ties to Russia’s military or intelligence services. Some of these people actively aid criminal investigations by the FSB, the KGB’s successor, using data from some of the 400 million customers who rely on Kaspersky Lab’s software, say six current and former employees who declined to discuss the matter publicly because they feared reprisals.
This closeness starts at the top: Unless Kaspersky is traveling, he rarely misses a weekly banya (sauna) night with a group of about 5 to 10 that usually includes Russian intelligence officials.
Kaspersky says in an interview that the group saunas are purely social: “When I go to banya, they’re friends.”Kaspersky says government officials can’t associate his company’s data with individual customers and that he hasn’t had to worry about increased pressure to demonstrate loyalty to Vladimir Putin. “I’m not the right person to talk about Russian realities, because I live in cyberspace,” he says.
Nonetheless, while Kaspersky Lab has published a series of reports that examined alleged electronic espionage by the U.S., Israel, and the U.K., the company hasn’t pursued alleged Russian operations with the same vigor. In February, Kaspersky Lab researchers released a remarkably detailed report about the tactics of a hacker collective known as the Equation Group, which has targeted Russia, Iran, and Pakistan, and which cybersecurity analysts believe to be a cover for the U.S. National Security Agency.
Kaspersky Lab hasn’t issued a similar report about Russia’s links to sophisticated spyware known as Sofacy, which has attacked NATO and foreign ministries in Eastern Europe. Sofacy was reported on last fall by U.S. cybersecurity company FireEye.While Kaspersky Lab is the most prominent cybersecurity business with close ties to the Russian government, that affinity with the country’s spooks reflects a yearslong shift by security companies toward choosing sides.
Most major security-software makers work with the U.S. in some capacity. Any government relationships can make a company’s products harder to sell in a paranoid global marketplace, says Rick Holland, principal analyst of security and risk management for Forrester Research. “It’s a challenge for any security company out there,” Holland says. “What are your ties to government?”Kaspersky Lab’s ties dramatically increased after two waves of executive departures, say four of the former insiders.
The first came in 2012, after Kaspersky scotched an IPO partnership with Greenwich (Conn.) investment firm General Atlantic. Afterward, Chief Business Officer Garry Kondakov circulated an internal e-mail saying that from then on, the company’s highest positions would be held only by Russians, say two people who saw the e-mail. Board meetings, once conducted in English, were now in Russian.
The company denies that the e-mail was ever sent.In 2014 after a handful of senior managers, including Chief Technology Officer Nikolay Grebennikov and North American President Steve Orenberg, asked Kaspersky to consider appointing a new CEO and retaining only the chairmanship of the company, he fired them.
Chief Legal Officer Igor Chekunov, who regularly joins Kaspersky’s banya nights, is the point man for the company’s work with the Russian government, three of the insiders say. Since 2013 he has managed a team of 10 specialists who study data from customers who have been hacked and provide technical support to the FSB and other Russian agencies. The team can access data directly from any of the company’s systems.
While Kaspersky Lab’s managing director for North America, Christopher Doggett, says its data are anonymous, two people familiar with the technology say it can be altered to gather identifying information from individual computers and has been used to aid the FSB in investigations. Chekunov had no biography on the company website prior to a query from Bloomberg Businessweek.
Spokeswoman Sarah Kitsos says he served as a policeman after working in the KGB’s border patrol.FireEye shows how these relationships work in the U.S. The company was guided early on by the CIA, which uses its technology and for years maintained a stake in the company through the agency’s investment arm, In-Q-Tel. FireEye has revealed Chinese and Russian hacking but has yet to do a major report calling out spying by the U.S. Although FireEye CEO David DeWalt praised Kaspersky Lab’s Equation Group report, he wouldn’t say whether his company is researching the group. “Is it any mystery what origins they have and who probably fed them these information sources?” he says. “You look at all of that, and you just go, ‘Hey, this is the reality we’re in now.’ ”
In head-to-head tests, Kaspersky Lab’s software still performs well against competitors. “The techies love us,” Doggett says. But the ruble’s slide will likely dent the company’s 2014 earnings, which it posts in dollars online. More important, Kaspersky has struggled to win federal U.S. contracts. “There’s a cyber isolationism that’s definitely emerging,” says Holland, the Forrester analyst. “They have to overcome any perceived or actual alliances.”
The bottom line: Popular security-software maker Kaspersky Lab has close ties to Russian military and intelligence officials.(Updated first paragraph to clarify that Eugene Kaspersky was educated at a KGB-sponsored cryptography institute, then worked for Russian military intelligence.)
Credit: David Gilbert, Carol Matlack, Michael A Riley and Jordan Robertson