Skip to main content

Russian Spies Who Broke Into DNC Now Attacking Macs

Some of the same Russian spies blamed for hacking into Democratic National Committee servers are back in the news, and they're now apparently attacking Macs used by the aerospace industry, which includes many American and European defense contractors. This time, the spies are using spear-phishing emails that hide an OS X Trojan dubbed Komplex inside an attached PDF.

The front page of the malicious PDF sent to Mac users in the aerospace industry. Credit: Palo Alto Networks

(Image credit: The front page of the malicious PDF sent to Mac users in the aerospace industry. Credit: Palo Alto Networks)

The Unit 42 team at California-based Palo Alto Networks yesterday (Sept. 26) reported the attacks, which Palo Alto Networks traces to the Sofacy group of Russian military intelligence, also known as APT28, also known as Pawn Storm, also known as Fancy Bear. When email recipients open the attached PDF, which appears to be a 17-page slide deck about the Russian space program, Komplex drops its dirty payload onto the Mac.

MORE: 10 Worst Data Breaches of All Time

As the victim scrolls through the PDF, Komplex takes hold and waits for an internet connection. Once that's up and running, Komplex can download, install and execute additional malware, as well as delete files. Since the aerospace industry is the target, it's probably safe to assume that Komplex is intended to steal secrets and blueprints from organizations such as NASA, the European Space Agency and Western defense contractors.

Ryan Olson, the intelligence director of Unit 42, told Dark Reading that Komplex is "probably delivered by a spear-phishing attack." Spear phishing tailors email messages to fool the intended victims, making it look like a message comes from a trusted source and bearing an attachment of interest to the target.

Previous iterations of Komplex seen in the wild exploited a since-patched vulnerability in MacKeeper, a controversial Mac system utility that is often accused of spamming and scaring users into installing software they don't need.

So what should you do?

Our advice for every Mac user is the same for those working in the aerospace world. Be wary of opening unsolicited email attachments, even if they appear to come from friends or co-workers. Install and run Mac antivirus software that scans email attachments. Komplex and similar Trojans can be hidden in any kinds of files, not only PDFs.

Whether it's adult content or secrets that pertain to your profession, email attachments from an entity you're not 100 percent sure of are not to be touched.