Google’s Threat Analysis Group has cast more light on targeted credential phishing & malware attacks on the staff of Joe Biden’s US presidential campaign.
Hackers sent Joe Biden’s presidential campaign staffers malicious emails that impersonated anti-virus software company McAfee & used a mix of legitimate services (e.g. Dropbox) to avoid detection. The emails were an attempt to steal staffers’ credentials & infect them with malware.
The unsuccessful advanced persistent threat group (APT) attacks on Biden’s campaign were 1st uncovered June, along with cyber-attacks targeting Donald Trump’s campaign. However, the details of the attacks themselves, & the tactics used, were few until Google Threat Analysis Group’s (TAG) Fri. analysis.
“In 1 example, attackers impersonated McAfee,” explained researchers on Fri. “The targets would be prompted to install a legitimate version of McAfee anti-virus software from GitHub, while malware was simultaneously silently installed to the system.”
The campaign was based on email-based links that would ultimately download malware hosted on GitHub, researchers commented. The malware was specifically a python-based implant using Dropbox for command & control (C2), which once downloaded would allow the attacker to upload & download files & execute arbitrary commands.
Every malicious piece of this attack was hosted on legitimate services, thus making it harder for defenders to rely on network signals for detection, researchers noted.
Google attributed the attack on Biden’s campaign staff to APT 31 (also known as Zirconium). According to reports, this threat player is linked to the Chinese Govt.
In addition to staffers on the “Joe Biden for President” campaign, APT 31 has also been targeting “prominent individuals in the international affairs community, academics in international affairs from more than 15 universities,” according to previous Microsoft research.
The threat group’s TTPs include using web “beacons” that are linked to an attacker-controlled domain. The group then sends the URL of the domain to targets via email text (or attachment) & persuades them to click the link via social engineering.
“Although the domain itself may not have malicious content, this allows Zirconium [APT 31] to check if a user attempted to access the site,” observed Microsoft. “For nation-state actors, this is a simple way to perform reconnaissance on targeted accounts to determine if the account is valid or the user is active.”
‘Phosphorus’ & ‘Charming Kitten’
On the other side of the election, the personal email accounts of staffers associated with the “Donald J. Trump for President” campaign have also been targeted by another threat group called APT 35 (also known as Phosphorus & Charming Kitten), which researchers said operates out of Iran. The Iran-linked hacking group has been known to use phishing as an attack vector, & in February was discovered targeting public figures in phishing attacks that stole victims’ email-account information.
However, researchers said the good news is that there’s increased attention on the threats posed by APTs in the context of the US election. Google said it removed 14 Google accounts that were linked to Ukrainian Parliament member Andrii Derkach shortly after the US Treasury sanctioned Derkach for attempting to influence the US elections.
US Presidential Election
“US Govt. agencies have warned about different threat actors, & we’ve worked closely with those agencies & others in the tech industry to share leads & intelligence about what we’re seeing across the ecosystem,” outlined Google researchers.
With the 2020 US Presidential Election just 2 weeks away, cyber-security concerns are under the spotlight – including worries about the integrity of voting machines, the expected expansion of mail-in voting due to COVID-19 & disinformation campaigns.