The Russian government-affiliated hacking group Fancy Bear took advantage of the New York terror attacks on Halloween to lure new victims, according to a new report from McAfee.
The attack affixes a command to download malware to a word document about the attacks titled “IsisAttackInNewYork.docx.”
{mosads}In late October, Fancy Bear used a similar tactic to hack people interested in military cyber security, using a document that appeared to contain information about the CyCon cybersecurity conference sponsored by West Point, currently ongoing in Washington, D.C. That attack was first identified by Cisco’s Talos labs.
“Based on the telemetry we captured, we have observed targets in Europe, specifically France and Germany,” said Ryan Sherstobitoff, senior analyst for major campaigns for McAfee Advanced Threat Research via email.
“Based on the document theme from the previous related campaign, it has a name SabreGuardian, which is in reference to the U.S. Army in Europe”
Fancy Bear is best known as one of the Russian hacker groups believed to have hacked the Democratic National Committee during the 2016 election.
The new attacks differ slightly from the CyCon attacks. The CyCon document used a feature in Microsoft Word known as a VBA script to download the Seduploader malware. The New York attack document takes advantage of a different feature, known as Microsoft Office Dynamic Data Exchange, to download Seduploader.
Dynamic Data Exchange is intended to share data between documents.
McAfee believes that the change in tactic may have come due to the surprisingly widespread attention garnered by the CyCon attack, which may have caused users to adapt.