That malware is designed to examine and control whatever system it infects. It can also secretly download additional malicious files and evade detection from antivirus products.
Volexity is blaming the attack on the Cozy Bear group partly because of the malware used; it contains coding that’s been found in other hacking techniques tied to the elite hacking team, company founder Steven Adair said.
In addition, Wednesday’s attack matches similar methods used in phishing email campaigns that occurred in August and also targeted think tanks and NGOs.
In this case, the malicious emails came from a mix of Google Gmail accounts and possibly hacked emails accounts from Harvard’s arts and sciences faculty.
Harvard didn’t immediately respond to a request for comment.
Volexity declined to name which think tanks were targeted. But Adam Segal, a China expert at the Council on Foreign Relations, and Maeve Whelan-Wuest, a researcher at the Brookings Institution, said on Twitter they had both received the phishing emails.
Why these institutions were targeted isn’t clear. But “folks at think tanks have a lot of contacts and relationships with different government officials and people in the political space,” Adair said.
“My guess it’s access to what these people are saying and potentially leveraging knowledge about them to further target them,” he said.
Security firm Crowdstrike has claimed the hacking team Cozy Bear has previously infiltrated networks belonging to the White House, U.S. State Department, and the Joint Chiefs of Staff.
Although security experts and the U.S. government have linked the Cozy Bear group with Russia, the country’s government has denied any involvement in state-sponsored hacking.