Hackers Go Post-Election Phishing, Turn Off Heat in Finland and Steal Cash From UK Bank


This week's hackers dip their toes into cyber-physical shenanigans.

Keep with the latest cyber incidents—politically or financially motivated—with Nextgov's  Threatwatch.

Cozy Bear Goes Phishing After Election

After the U.S. presidential election, a group tied to Russian intelligence sent wave after wave of phishing emails to universities, think tanks and the State Department, according to Motherboard.

The Dukes, a group also known as Cozy Bear or APT29, sent series of emails Wednesday after the election, including messages made to look like a Harvard professor forwarding information from the Clinton Foundation. The group sent the emails to many people working in national security, defense, international affairs, public policy, and European and Asian studies.

Using Gmail accounts, the groups sent eFax links and Microsoft Word and Excel documents that concealed code that would download a backdoor into attacked systems, according to an analysis by security firm Volexity. Components of the backdoor were hidden in PNG files.  

“They have had tremendous success evading anti-virus and anti-malware solutions at both the desktop and mail gateway levels,” the analysis said. “The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure.”

Cozy Bear was previously linked to the breach of the Democratic National Committee and other campaigns targeting the think tanks with a focus on Russian affairs.

Cyberattack Leaves Finnish Apartment Dwellers in the Cold

A Finnish company confirmed a distributed denial-of-service attack that left at least two blocks of apartments without power for multiple days.

Valtia, a facilities services company, confirmed two apartment buildings in Lappeenranta, Finland, lost heat and hot water from Nov. 3 through Nov. 4, according to The Security Ledger. The attack hit the building automation systems with fake internet traffic, blocking remote access and causing restarts.

Valtia resolved the issue by switching systems to manual and moving them behind firewalls, according to a report in The Hacker News.

Cyber Thieves Swipe Cash From 20,000 UK Bank Accounts 

Tesco Bank froze online transactions for its customers after detecting suspicious activity on about 40,000 accounts—and fraudulent withdrawals from about 20,000 of them.

The British bank Nov. 6 decided to block customers from paying with their debit cards online, though they could continue using cards in real life at registers or at ATMs. Chief executive Benny Higgins said the bank is working to restore services and refund affected customers by the end of Tuesday, BBC News reported.

The heist involved siphoning “relatively small amounts” of funds from thousands of accounts over a 24-hour window, such as $20 from one account and $500 from another, according to the BBC.

Higgins said it was “a systematic, sophisticated attack” and declined to share more details.