At least 12 US progressive groups have been targeted by extortion attempts in recent months, according to a new report from Bloomberg, which cites FBI and private security sources. The groups have been approached with stolen email or cloud data and a simple threat: pay up or we’ll leak to the press. According to Bloomberg, the amounts range from $30,000 to $150,000. After countless anonymous data drops during the campaign, that threat is more credible than ever. Bloomberg names only two of the groups — the Center for American Progress and Arabella Partners — although the Center for American Progress has denied receiving any such threats. It’s unclear what other groups may be implicated. Because of the money involved, extortion attempts are usually associated with criminals rather than intelligence agencies. However, Bloomberg’s sources say many of the techniques used in the attempts are consistent with the Cozy Bear group, which has been linked with Russian intelligence in the past.
Private cybersecurity groups have previously reported a wave of spear-phishing attacks against think-tanks and non-governmental organizations in the wake of the election, many of which also used Cozy Bear’s techniques and toolkit.
Soon after security firm Crowdstrike was called by the Democratic National Committee about a suspected breach and started to investigate, they “immediately identified two sophisticated adversaries on the network — COZY BEAR and FANCY BEAR,” writes the firm in a blogpost on its site.
The two hacker groups are closely linked to the Russian Federation’s intelligence services, according to Crowdstrike, which considers them “some of the best adversaries out of all the numerous nation-state, criminal and hacktivist/terrorist groups” they encounter, praising them for their “superb” tradecraft and extensive use of “living-off-the-land” techniques that allow them to bypass security solutions.
Cozy Bear: Last year, the group (also known as CozyDuke or APT 29) hacked the White House, State Department and US Joint Chiefs of Staff, as well as companies and government agencies in Western Europe, China, Brazil and many other countries. Preferred method: Broadly targeted spearphishing.
Fancy Bear: This group targets defense ministries and military officials in the U.S., Western Europe, Brazil, China, Iran and many other countries, as well as intrusions into the German Bundestag and France’s TV5 Monde TV last year. Preferred method: Registering domains that resemble legitimate domains and establishing phishing sites that spoof them.