For years, costly email grifts have largely been the provenance of West African scammers, particularly those based in Nigeria. A newly discovered “business email compromise” campaign, though, appears to come from a criminal group in a part of the world better known for a different brand of online mayhem: Russia.
Dubbed “Cosmic Lynx,” the group has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari, particularly targeting senior executives at large organizations and corporations in 46 countries. Cosmic Lynx specializes in topical, tailored scams related to mergers and acquisitions; the group typically requests hundreds of thousands or even millions of dollars as part of its hustles. The researchers, who have worked extensively on tracking Nigerian BEC scammers, say they don’t have a clear sense of how often Cosmic Lynx actually succeeds at obtaining a payout. Given that the group hasn’t lowered its asks in a year, though, and has been prolific about developing new campaigns—including some compelling Covid-19-related scams—Agari reasons that Cosmic Lynx must be raking in a fair amount of money.
“Most Eastern European and Russian hackers have been so entrenched in malware campaigns and technically sophisticated infrastructure that as long as there are returns they don’t need to adapt,” says Crane Hassold, senior director of threat research at Agari and a former digital behavior analyst for the Federal Bureau of Investigation. “But defenses against technically sophisticated attacks have gotten significantly better, and they’re realizing that the return on investment for these social engineering-based attacks is much higher.”
West African scammers typically run their BEC campaigns off of rented or free cloud infrastructure using free email accounts. They have increasingly branched out into utilizing off-the-shelf hacking tools like keyloggers and even backdoors into targets’ systems, but malware has typically not played a major role. Overhead is much lower when you don’t need to develop and maintain your own infrastructure and software. This may have been a selling point for Cosmic Lynx, which combines some of the technical chops of a Russian criminal hacking group with the cost savings of a classic, low-tech BEC attack.
For example, rather than use free accounts, Cosmic Lynx will register strategic domain names for each BEC campaign to create more convincing email accounts. And the group knows how to shield these domains so they’re harder to trace to the true owner. Cosmic Lynx also has a strong understanding of the email authentication protocol DMARC, and does reconnaissance to assess its targets’ specific system DMARC policies to most effectively circumvent them.
Cosmic Lynx also drafts unusually clean and credible-looking messages to deceive targets. The group will find a company that is about to complete an acquisition and contact one of its top executives posing as the CEO of the organization being bought. This phony CEO will then involve “external legal counsel” to facilitate the necessary payments. This is where Cosmic Lynx adds a second persona to give the process an air of legitimacy, typically impersonating a real lawyer from a well-regarded law firm in the United Kingdom. The fake lawyer will email the same executive the “CEO” wrote to, often in a new email thread, and share logistics about completing the transaction. Unlike most BEC campaigns, in which the messages often have grammatical mistakes or awkward wording, Cosmic Lynx messages are almost always clean. The group generally corresponds in English regardless of the nationalities of the companies involved. In one campaign, Agari researchers observed Cosmic Lynx attackers corresponding in French.
The Agari researchers have several reasons to believe Cosmic Lynx is a Russian criminal group. First, Cosmic Lynx emails generally appear to be sent in Moscow Standard Time, though the researchers readily note that this timestamp can be manipulated. Belarus and parts of Georgia and Ukraine also operate in Moscow Standard Time. Second, the Agari researchers have uncovered some connections between the group’s infrastructure and that used by the notorious Trickbot and Emotet trojans, which are both believed to have Russian ties. Additionally, the researchers have repeatedly seen Cosmic Lynx use IP addresses in its BEC campaigns that are also used by websites that sell fake Russian documents like birth certificates and death certificates. These sites often cater to customers in Ukraine as well. Finally, in analyzing the metadata of documents sent by Cosmic Lynx, Agari has found Russian cultural references, including one to a popular Saint Petersburg-based DJ.