CyCon U.S. Website Info Used as Decoy in Malicious Campaign

Information from CyCon U.S. website has been used in a Word document with an intent to deliver malware. This type of attack, where legitimate information is used to attract the attention of victims, is rather common and normally detected and prevented in information systems with widely used safeguards. However, NATO Cooperative Cyber Defence Centre of Excellence would like to remind that basic cyber hygiene should be followed in handling information related to trusted and well-known sources.

Cisco Talos blog* discovered a new malicious campaign from the well known actor Group 74 (APT28 cyber espionage group**). The decoy document is a flyer concerning the CyCon U.S. conference organized in collaboration of Army Cyber Institute at West Point and the NATO Cooperative Cyber Defence Centre of Excellence on 7-8 November 2017 at Washington, D.C. The flier does not exploit software vulnerabilities, but relies on the user interaction on enabling and running malicious code inside spoofed document.

This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cyber security.

NATO CCDCOE confirms that the Word document used in the malicious campaign is fake.

This type of attack is quite common for delivering APT type of malware to high-ranking officials. In order not to become a victim basic safety measures should be followed, for example:

  • Pay attention to the alerts of your Office software, do not enable and run macros

  • Handle the information obtained or received from internet with special care

  • Update regularily your antivirus software in your computer

In case of suspicious activity contact your IT security support or incident handling team.

 

*Cisco Talos blog http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html

**See https://www2.fireeye.com/apt28.html