Cozy Bear is back. The other Russian cyber operational agency, quieter sister to GRU’s Fancy Bear and generally associated with either the FSB or SVR (both KGB descendants) has been engaged in spearphishing US targets. CrowdStrike and FireEye, among others, have discussed the discovery. CrowdStrike says Cozy Bear has been impersonating a US State Department official in the spearphishing emails. The payload is a link to a legitimate but compromised website. Targets form a familiar set of Cozy Bear interests: government agencies (including law enforcement), think tanks, and business intelligence services. Cozy Bear, by the way, is also known as “APT29,” “The Dukes,” or “PowerDuke” (ZDNet, Reuters).
Ukraine’s CERT, working with the country’s Foreign Intelligence Service, says it stopped battlespace preparation for a campaign that would have installed a new version of Pterodo espionage and attack-staging malware. There’s no attribution, but they note that the campaign appeared interested in former Soviet Republics (Ukrinform).
Researchers report a Gmail flaw that enables a user to add an arbitrary email address to the “From” field. Social engineering possibilities are obvious (HackRead).
Trend Micro is tracking the Outlaw criminal group, which is engaged in a renewed botnet campaign for cryptojacking, scanning, and brute-forcing of credentials.
The new US civilian cybersecurity agency, CISA, is now ready for its “groundbreaking.” President Trump signed legislation creating it into law at the end of last week (ZDNet).