A U.S. security firm on Monday said a Russian hacker group is likely responsible for a phishing campaign that used emails to impersonate a State Department employee. FireEye researchers tied the spear phishing campaign to APT29, a group often referred to as “Cozy Bear.” The hackers were targeting U.S. think tanks, the military, federal government and law enforcement, among other sectors, the security firm said in a blog post. Monday’s finding comes just days after FireEye and another U.S. cybersecurity firm, CrowdStrike, publicly confirmed the phishing campaign. The companies did not attribute the actions to the hacking group at the time, but noted similarities to previous activity by Cozy Bear. FireEye said the hacking group created emails that gave the impression of coming from a State Department public affairs official who was trying to share an official document. The attached document included links and a file hosted on a domain that was likely compromised, FireEye said.
The blog post said there is no evidence that the State Department network was compromised.
The researchers also wrote that it has been more than a year since they detected activity from APT29, but that the campaign was similar to one carried out by the group after the 2016 presidential election.
“It has also been over a year since we have conclusively identified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long interlude,” FireEye wrote in Monday’s blog post.