Alleged Russian hackers behind the EFF Spear phishing Scam

The experts at EFF organization speculate that Russian State-sponsored hackers belonging the APT 28 group have managed the last EFF Spear phishing Scam.

Attackers, alleged to belong to a Russian state-sponsored APT registered a bogus Electronic Frontier Foundation domain earlier this month. The hackers used the name brand of popular privacy watchdog in an attempt to trick targets into thinking that email sent by the domain was coming from the trusted organization.
According to the security experts who are investigating the case, the spear phishing campaign is part the Pawn Storm Operation. Security experts from several security firms speculate that the Russian APT 28 manages the long-running espionage campaign.
The Pawn Storm group, also called APT 28, has been active for several years, according to the experts at FireEye who are following it the attacks are carried during business hours, on Moscow time, and targets organizations managing information related to governments, militaries and security organizations. The experts sustain that the information exfiltrated by the hackers are of great interest for the Russian Intelligence.
According to a blog post published by the EFF the fake domain, the threat actors registered the bogus domain electronicfrontierfoundation.org a few weeks ago and used it in targeted attacks leveraging on a recently patched Java zero-day exploit.

Despite Oracle has already patched the vulnerability exploited in the attack the hacking crew is still exploiting it.
The phishing emails include links to the fake EFF website, once clicked on the visitor is redirected to page on the same domain containing a Java applet that could exploit the flaw in the unpatched version of the Java software.
“The attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known Java zero-day in two years. The attacker sends the target a spear phishing email containing a link to a unique URL on the malicious domain (in this case electronicfrontierfoundation.org). When visited, the URL will redirect the user to another unique URL in the form of htt://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class containing a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java payload is received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware analysts).

The attacker, now able to run any code on the user’s machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target’s computer.” States the blog post published by the EFF.

The experts at the EFF sustain that there are a number of similarities between this campaign and other operation managed by the Russian APT 28 group, for example the path and filename used in the exploit are the same as those used in the attacks of the Pawn Storm. The attackers used the Sednit malware to infect victims and install a backdoor in order to maintain persistence in the compromised machine.

The APT 28 also carried out attacks on NATO forces and White House staff in the past months.
In order to secure the systems, the EFF is urging users to update Java to the latest release in order to fix the vulnerabilities exploited in the attack. The EFF has also reported for abuse the phony domain used in the spear phishing attacks in order to take it offline.

Pierluigi Paganini

(Security Affairs – EFF, APT 28)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

2 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

16 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.