Hours after Donald Trump won the presidential election, a suspected Russian cyberespionage team was blamed for targeting several U.S. think tanks with phishing emails designed to fool victims into installing malware.
On Wednesday, the phishing emails landed in the inboxes of dozens of targets associated with U.S. think tanks and non-governmental organizations, said security firm Volexity.
A hacking group called APT 29 or Cozy Bear was behind the attack, according to Veloxity. This is one of the same groups that security experts say was also responsible for hacking the Democratic National Committee and is allegedly tied to the Russian government.
Wednesday’s attack involved five waves of phishing emails that targeted groups and individuals in the national security, international affairs, and public policy sectors, among other groups, Volexity said in a blog post.
To entice the victims to open the emails, the messages were titled with subject lines about election rigging in the U.S. and how the system was flawed. Other emails pretended to come from the Clinton Foundation. However, all of the messages were meant to trick victims into opening download links or attachments to install malware.
Volexity A copy of one of the phishing emails.
That malware is designed to examine and control whatever system it infects. It can also secretly download additional malicious files and evade detection from antivirus products.
Volexity is blaming the attack on the Cozy Bear group partly because of the malware used; it contains coding that’s been found in other hacking techniques tied to the elite hacking team, company founder Steven Adair said.
In addition, Wednesday’s attack matches similar methods used in phishing email campaigns that occurred in August and also targeted think tanks and NGOs.
In this case, the malicious emails came from a mix of Google Gmail accounts and possibly hacked emails accounts from Harvard’s arts and sciences faculty.
Harvard didn’t immediately respond to a request for comment.
Volexity declined to name which think tanks were targeted. But Adam Segal, a China expert at the Council on Foreign Relations, and Maeve Whelan-Wuest, a researcher at the Brookings Institution, said on Twitter they had both received the phishing emails.
Why these institutions were targeted isn’t clear. But “folks at think tanks have a lot of contacts and relationships with different government officials and people in the political space,” Adair said.
“My guess it’s access to what these people are saying and potentially leveraging knowledge about them to further target them,” he said.
Security firm Crowdstrike has claimed the hacking team Cozy Bear has previously infiltrated networks belonging to the White House, U.S. State Department, and the Joint Chiefs of Staff.
Although security experts and the U.S. government have linked the Cozy Bear group with Russia, the country’s government has denied any involvement in state-sponsored hacking.