CozyDuke APT Behind White House, State Department Attacks: Kaspersky

Thursday, April 23, 2015

Eduard Kovacs


An advanced persistent threat (APT) actor dubbed “CozyDuke” (also known as CozyBear and CozyCar) is believed to be responsible for recent cyberattacks targeting the US Department of State and the White House, according to Kaspersky Lab.

In a blog post containing numerous technical details on the group’s tools and activities, Kaspersky researchers revealed that the APT actor targeted various high-profile organizations in the second half of 2014.

According to the security firm, CozyDuke shares similarities with components spotted in previously documented APTs such as MiniDuke, CosmicDuke and OnionDuke.

In some of its attacks, CozyDuke used spear-phishing emails containing links to compromised websites hosting malware. In other operations, the attackers relied on malicious Flash videos attached directly to emails in order to deliver malware.

“A clever example is ‘Office Monkeys LOL’. The executable within not only plays a flash video, but drops and runs another CozyDuke executable. These videos are quickly passed around offices with delight while systems are infected in the background silently,“ Kaspersky researchers explained.

Once it infects a system, the malware checks for the presence of security products from Kaspersky, Crystal Security, Sophos, Dr. Web, Avira, and Comodo. Researchers have noted that many of the malware components used in CozyDuke attacks are signed with fake Intel and AMD digital certificates.

Read the rest of this story on

Firewalls IDS/IDP Network Access Control Network->General SCADA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.