Less than six hours after Donald Trump won the US presidential election, a new spear phishing campaign was launched by a Russia-based group. The group is apparently one of the two organizations connected to the breach at the Democratic National Committee, and it's responsible for nearly a decade of intelligence collection campaigns against military and diplomatic targets.
Security firm Volexity refers to the group as "the Dukes" based on the malware family being utilized. According to a report by Volexity founder Steven Adair, the group is known for a malware family known as "the Dukes"—also referred to as APT29 or "Cozy Bear." The Dukes' primary targets in this latest round of attacks appear to be non-governmental organizations (NGOs) and policy think tanks in the US.
According to Volexity's data, the threat group sent e-mails from purpose-built Gmail accounts and what may be a compromised e-mail account from Harvard University's Faculty of Arts and Science. The phishing e-mails dropped a new variant of backdoor malware dubbed "PowerDuke" by Volexity, and this malware gave attackers remote access to compromised systems. Volexity has been tracking a number of campaigns based on PowerDuke since August, when some "highly targeted" malicious e-mails were sent to individuals at a number of policy research organizations in the US and Europe. The e-mails were disguised as messages from the Center for a New American Security (CNAS), Transparency International, the Council on Foreign Relations, the International Institute for Strategic Studies (IISS), and Eurasia Group. Another wave of similar e-mails targeted universities in October.