Sign up for our daily briefing

Make your busy days simpler with Axios AM/PM. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Denver news in your inbox

Catch up on the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Des Moines news in your inbox

Catch up on the most important stories affecting your hometown with Axios Des Moines

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Minneapolis-St. Paul news in your inbox

Catch up on the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tampa Bay news in your inbox

Catch up on the most important stories affecting your hometown with Axios Tampa Bay

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Charlotte news in your inbox

Catch up on the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Photo: Alastair Grant/AFP via Getty Images

FireEye announced last week that a cyber attack that looked like it could have come from the Russian hackers "Cozy Bear" may have impersonated a State Department official in a new phishing campaign.

The big picture: FireEye was careful to say last week that it was not ready to formally accuse Russia of the attack. It still isn't. But the security firm posted more information about the attack on Monday which has helped to fill in some blanks.

What they're saying: "We were shocked to see people saying this was definitely from Russia - we have material information we aren't releasing, and we're not sure yet. This is us showing our work," said Nick Carr, senior manager of adversary methods at FireEye

Why it matters: Cozy Bear, and all spy groups, regularly use phishing scams to breach targets. While the recent operation was nothing too far afield of other attacks, it is jarring to see such a brazen choice of cover identity.

The backdrop: The Cozy Bear hackers are the less talked about, more covert of the two Russian "bears" that attacked the Democratic National Committee in 2016. The hackers ceased activity soon after the election, and may not have resurfaced until now, if at all.

  • FireEye has noted the long gap in appearances as a reason the phishing emails might not have come from Cozy Bear.

Details: In the most recent attack, the hackers targeted a broad cross section of industries, including "think tanks, law enforcement, media, U.S. military, imagery, transportation, pharmaceuticals, national government, and defense contracting," That information was announced last week.

  • The targets significantly overlap with an attack on the firm Volexity, which was more definitively attributed to Cozy Bear in November.
  • If a victim clicked on the document included in the phishing email, a form labeled "TRAINING/INTERNSHIP PLACEMENT PLAN" would be found.
  • That document was laced with computer code giving the hackers a foothold on that system.

The malware the hackers used included the widely-available Cobalt Strike, so it's likely antivirus programs could catch this attack in progress.

  • But don't count on that, researchers at FireEye said: Cozy Bear sometimes uses easy-to-catch attacks as a smokescreen for more covert ones.

Go deeper

In photos: D.C. and U.S. states on alert for pre-inauguration violence

National Guard troops stand behind security fencing with the dome of the U.S. Capitol Building behind them, on Jan. 16. Photo: Kent Nishimura / Los Angeles Times via Getty Images

Security has been stepped up in Washington, D.C., and state capitols across the U.S. as authorities brace for potential violence this weekend.

Driving the news: Following the Jan. 6 insurrection at the U.S. Capitol by some supporters of President Trump, the FBI has said there could be armed protests in D.C. and in all 50 state capitols in the run-up to President-elect Joe Biden's inauguration Wednesday.

The new Washington

Illustration: Sarah Grillo/Axios

The Axios subject-matter experts brief you on the incoming administration's plans and team.

Rep. Lou Correa tests positive for COVID-19

Lou Correa. Photo: Tom Williams/CQ-Roll Call, Inc via Getty Images

Rep. Lou Correa (D-Calif.) announced on Saturday that he has tested positive for the coronavirus.

Why it matters: Correa is the latest Democratic lawmaker to share his positive test results after last week's deadly Capitol riot. Correa did not shelter in the designated safe zone with his congressional colleagues during the siege, per a spokesperson, instead staying outside to help Capitol Police.