A group of hackers behind the Democratic National Committee breach may have a new target: foreign ministries across the world.
On Wednesday, the security firm Palo Alto Networks said it sourced the hacking attempts to Fancy Bear, a shadowy group that’s widely believed to work for the Russian government.
The group —which also goes by the name Sofacy— is notorious for stealing sensitive files from the DNC and the World Anti-Doping Agency and then leaking them online. Recently, Fancy Bear also infiltrated several German government offices, including the foreign and defense ministries, according to the news agency DPA.
The hacking attempts have often come through phishing emails that can masquerade as legitimate organizations, and the group’s latest exploits have been no different. This month, Palo Alto Networks noticed an attack targeting two foreign ministries, one located in North America, the other in Europe.
The attack relied on a fake email purporting to come from a defense industry news publisher run by IHS Markit, a well-known analyst firm. Inside the email was an attachment for an Excel file that held a calendar for upcoming events.
The email was made to look quite convincing; it managed to spoof the email header with the address “email@example.com.” But in reality, the document was rigged to install malware on to the victim’s computer.
It did so through the attached Excel file, which contained a dangerous software macro. That macro is essentially a sequence of automated actions that’ll run when activated. In this case, it can load malware.
To trick the victims into enabling the macro, the attackers decided to hide all the text inside the Excel file with a white-colored font. Victims who opened the file would have been fooled into thinking they had to enable the macro to see the text.
“When successful, attackers can gain complete control over the computer, enabling them to copy documents, usernames, passwords, account information and even take screenshots,” the security firm said in an email.
Palo Alto Networks has been studying the phishing email and said the malware used some of the same code and domain landing page formatting from the group’s previous attacks. A separate security firm known as Intezer has also matched part of the malware sample with Fancy Bear as well.
Palo Alto Networks hasn’t identified which governments were targeted in the phishing scheme, but it said the targets included a European embassy in Moscow. Fancy Bear has also been trying to hack the foreign ministries via another toolset, but for now, Palo Alto Networks is remaining mum on the details.