Once a Target, Always a Target Flaws in the Cyberattack Assembly Line

It’s tempting to think cyberattacks are sophisticated, but from a technical perspective, they are mostly routine. Cyber actors must rely on operational efficiency, reusable modular toolkits, and infrastructure stability to attack a large number of targets successfully. These assembly lines run counter to the view that cyber attacks are “sophisticated snowflakes” and provide opportunities to preempt attacks at a point in time when it is possible to change outcomes.

Area 1 Security learned several small patterns during a phishing campaign launched November 9, 2016, via its ActiveSensor network. This campaign, which began the day after the U.S. presidential election, revealed insights into the assembly line of the actor, a partial database of targets, and methods to preempt future attacks.

The campaign we observed is attributed to a Russian espionage group we call RUS2 (also known as the Dukes, APT-29, or Cozy Bear). RUS2 is solely focused on targeting political organizations. They are known to have hacked the DNC in 2015 and breached the State Department in the same year. To achieve their goals, they simultaneously pursue current and former officials, as well as associates working in private industry.

The phishing emails in this campaign had several shared characteristics:

Subjects: “just FYI”, “RFI”, “eFax”, or “Elections”
Attachments: ZIP file attachment or Microsoft document containing a malicious macro
Command and Control: known C2 operated by RUS2

During the reconnaissance phase (Kill Chain — 1) of a cyber campaign, actors compile lists of targets and their email addresses, primarily through open source data-gathering, web scraping, social network analysis and other national technical means. Once targets are identified and their targeting information compiled, they will typically be loaded into a targeting database in an automated system to execute the delivery phase (Kill Chain — 3).

The targeting database that Area 1 Security was able to reconstruct reveals three specific insights into the assembly line of operations which can be used to preempt future campaigns:

  1. The database contains a mixture of personal and corporate email addresses. Targets include current and former officials of the U.S. government or associates in the political process. This shows RUS2 is looking for the weak link in the chain and will pursue direct and indirect targets to achieve their campaign’s goals.
  2. Analysis of bounced emails included in the campaign shows that the actor doesn’t consider cleaning or updating their database of targets. Targets continue to receive phishing attacks, whether or not they are in the same position as they were when initially targeted.
  3. Temporal reconstruction of the bounced emails, targets, and their positions of interest reveals targeting going back ten years to 2007.

RUS2 believes they avoid detection by changing some aspects of the infrastructure they utilize. This is a countermeasure to traditional security approaches which focus on blocking IPs, domains, and URLs. Our use of attacker behavior analytics, however, and their consistent redelivery of phishing campaigns to targets no longer associated with identified email addresses, allows us to reconstruct both the timeline and development of their campaigns, as well as new infrastructure and payloads being delivered.

It’s easy to imagine RUS2 operating a giant spreadsheet where new targets are added, but never leave. RUS2 probably moves quickly, compromising a server or service to send out phishing emails from it, and then leaves, never returning to check for bounced email messages to cull from its list.

Targets who change their positions and the organizations they work for after becoming a target of RUS2 unintentionally move into the crosshairs of future campaigns. Thus targets carry the blemish of being a Russian target into their new workplace. These people unintentionally give RUS2 beachheads in companies and organizations they never even planned on or imagined hacking. As an example, several targets of the November 9, 2016, campaign who had worked in the prior administration and now work in the financial, pharmaceutical, and defense industries continue to be targeted, and those organizations are attacked as a result of the association.

Russia is notoriously persistent in pursuing targets and our report is a lesson on why every organization needs great security.

Our analysis of the last ten years of RUS2 targeting, compiled by reverse engineering their database, reveals previously undisclosed information about the involvement of Russian actors in prior U.S. elections. It has been widely reported that both presidential candidates in the 2008 election were targeted and exploited by actors associated with the Chinese government. Area 1 Security was able to identify targets within the November 9, 2016 campaign whose association with the 2008 campaign indicate RUS2 was actively targeting them during the same period. The list also includes several officials involved in Russian policy, including a U.S. ambassador to Russia.

Tactics, Techniques, and Procedures (TTPs)

Interactions with Targets and Victims

RUS2 will engage and exchange information interactively with targets to bolster credibility and advance their campaigns.


RUS2 is known to quickly exfiltrate the entire contents of email accounts. They perform these operations with native email clients, as well as with web emails such as Gmail, Office 365, and Outlook Web Access.

Lateral Movement Operations

RUS2 begin lateral movement operations across an Active Directory Domain, typically employing Microsoft PowerShell and Python scripts compiled into binary executable files. They quickly harvest password dumps from Domain Controllers, and seek password file vaults stored on local disks and remote file servers. If they lose access to a target, they leverage previously exfiltrated usernames and passwords in order to regain access through the target’s external services.

Indicators of Compromise

The following IOCs were observed by Area 1 Security during the campaigns described herein:

Payload 1:
Link: hxxp://efax[.]pfdregistry[.]net/eFax/37486[.]ZIP
MD5: f79caf27a99c091e6c1775b306993341
SHA1: a76c02c067eae26d78f4b494274dfa6aedc6fa7a
SHA2: f37da55a4329df13b1283cbfd237ae832cebb4b9c4ed16e5a1e0b98d9b7fdf25
Filename: 37486-the-shocking-truth-about-election-rigging-in-america[.]rtf[.]lnk
MD5: f713d5df826c6051e65f995e57d6817d
SHA1: 68ce4c0324f03976247ff48803a7d988f9f9f43f
SHA2: 2d2fa32f928f8abf31b9e79153422d65fe72cd5ad0d1f815a9d2ffa42fc8d224
Payload 2:
Link: hxxp://efax[.]pfdresearch[.]org/eFax/RWP_16–038–5FNorris[.]ZIP
MD5: 8b3050a95e3ce00424b85f6e9cc3ccec
SHA1: d5dcf445830c54af145c0dfeaebf28f8ec780eb5
SHA2: 6412ea144bb0b8f7d32becda26cd1549825fd7b282f1f96319e5f4000e3d4618
Filename: RWP16–038_Norris[.]exe
MD5: 3335f0461e5472803f4b19b706eaf4b5
SHA1: 5cc807f80f14bc4a1d6036865e50d576200dfd2e
SHA2: 4538af0a76fecc6e45e6d45c22618c52ba89bf596a0b68dd2d4d2358fb5c86ef
Payload 3:
Link: hxxp://efax[.]pfdweek[.]com/eFax/message0236[.]ZIP
MD5: bea0a6f069bd547db685698bc9f9d25a

A partial summary of the targets RUS2 focused on during its November 9, 2016, campaign is provided below:

Financial Services

Vice Chairman Investment Banking
General Counsel
Director Federal Government Relations
Government Relations Intern
Defense Industries

Vice President Congressional Relations
Executive Office Administrator
Vice President Intelligence
Vice President External Relations
Obama for America

Deputy Campaign Manager
Deputy Media Director
Assistant to the Campaign Manager
Deputy Field Director
HR Regional Manager
Battleground State Director
The White House, 2008–2016

Deputy Counsel for the President
Deputy Assistant Secretary of Defense for Russia/Ukraine/Eurasia
Assistant to the Political Director
Advance Associate for the First Lady
Advance Associate for the President
Presidential Personnel Office
Department of State, 2008–2016

United States Ambassador to Russia
Deputy Assistant Secretary for Bureau of European and Eurasian Affairs
Assistant Secretary of State for European and Eurasian Affairs
Foreign Affairs Officer for Office of Weapons Of Mass Destruction Terrorism
Department of Energy, 2008–2016

Assistant Secretary for the Office of International Affairs
Deputy Assistant Secretary for Asia and the Americas
Director for Office of Nuclear Threat Science

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!


How to replace your email gateway with Cloudflare Area 1

Leaders and practitioners responsible for email security are faced with a few truths every day. It’s likely true that their email is cloud-delivered and comes with some built-in protection that does an OK job of stopping spam and commodity malware.

Introducing email link isolation – Email gateway replacement playbook

This week was a big one for us at Cloudflare, one of our four innovation weeks which we hold annually, showcasing new developments, product news and reference architectures.

Superhero strategies for the Phish Fight

Today is National Superhero Day, and we would like to dedicate this day to you—the SOC teams and the security experts on the frontline of the phish fight.