Cosmic Lynx – The Rise of a Russian BEC Group
In a recent white paper published by Agari Cyber Intelligence Division (ACID), great insight is given into a threat actor that leverages social engineering attacks for business email compromise (BEC). As social engineering attacks offers greater return on investment for threat actors when compared to sophisticated malware-based attacks, a Russian organization dubbed Cosmic Lynx by ACID has become paradigm for this. More than 200 BEC campaigns targeting victims in 46 countries in 6 continents happened in July 2019 alone by Cosmic Lynx was observed by ACID. The profile of the victim is usually a large multinational organization such as a Fortune 500 or Global 2000, and usually a senior level or executive role. Targets often hold the title of Vice President, General Manager or Managing Director.
The attack, as ACID describes, is a dual impersonation scheme under the scenario of an acquisition of an Asian company. The attacker pretends to be the victim company’s CEO and the identity of a legitimate legal counsel which the victim company will rely on as well. Then the attacker asks the victim posing as the CEO to work with the same attacker (himself) posing as the legal counsel as well. Funds stolen during the exchanges are moved using Honk-Kong mule accounts. Cosmic Lynx also exploits DMARC controls to spoof email addresses of impersonated CEO’s, if DMARC policies have been set to reject or quarantine Cosmic Lynx changes the display name to include the email address of the CEO with the name for a somewhat legitimate looking email.
“Domains registered by Cosmic Lynx are named in a way to mimic secure email and network infrastructure (e.g., secure-mail-gateway[.]cc, encrypted-smtp-transport[.]cc, mx-secure-net[.] com). “ – ACID. With some of their domains registered with NiceVPS they have robust hosting as well anonymity, and their infrastructure links them to Trickbot and Emotet banking Trojans, Android click malware, a carding marketplace, and Russian fake document websites. NiceVPS offers other features as well which are beneficial to malicious actors such as warrant canary, giving the actor time to react to a law enforcement subpoena.
The attacks often ask for hundreds of thousands of dollars, if not millions during the interactions of BEC attacks. They often prefer the victim to send the money to their mule accounts. Researchers at ACID engaged with Cosmic Lynx and tried to deny sending money to the Hong Kong accounts, and requested a US account and Cosmic Lynx only provided secondary mule accounts in Hungary, Poland, and Romania. Either not wanting to disclose their US accounts or for the reason of not having any, Cosmic Lynx prefers not to receive illicit funds in the US. This is where they differ from other BEC actors, because usually other BEC threat actors have a mule account in the victim’s country ready.
Aside from this threat actor, BEC attacks have become significant threats to businesses today, Since 2016 business lost of $26 billion as a result of BEC attacks and attacks have grown 37% since 2019 according to a FBI IC3 report and thus account for 40% of all cybercrime reported this year. To protect against these threats understanding the threat landscape is important as well as having defenses in place that detect deception attacks that inbound filters are not designed for. There also need to be organizational changes around how funds are authorized and vetted. This is more than just a technical issue, but non-technical solutions can solve threats that are technically unsophisticated. Various IOC’s and social engineering tactics are published in the whitepaper linked below.
Sources: