Joerg Habermeier - stock.adobe.c

Cosmic Lynx cyber crime group takes BEC to new heights

Newly identified Russian threat group targets large organisations with increasingly dangerous business email compromise attacks

A newly identified Russian cyber criminal group, called Cosmic Lynx by the threat researchers who have been tracking it, is developing increasingly complex and creative business email compromise (BEC) attacks that target Fortune 500 enterprises.

Until recently, BEC attacks were largely the domain of Nigerian cyber criminals, and tended to target businesses indiscriminately, according to Crane Hassold, senior director of threat intelligence at email security firm Agari, who first observed this activity. A combination of simplicity and high return on investment (RoI) seems to be making BEC scams more attractive to other groups, he said.

At some point, argued Hassold in a disclosure blog, Russian cyber criminals were going to ask themselves why they were spending so much time and money on infrastructure and malware development when they can just send someone an email, ask for money, and get it. This now appears to be happening, he said.

In its simplest form, a BEC attack involved a cyber criminal targeting an employee with access to company funds and convincing them to transfer money to the attacker’s bank account. This is usually done by compromising a C-suite target, then impersonating them to trick someone lower down the food chain at the target business by, for example, requesting an urgent end-of-quarter payment to a big client.

This is one of the most prominent cyber threats faced by businesses today, and organisations are thought to have lost more than $26bn in BEC attacks since 2017. Based on recent figures from the FBI, losses grew by 37% in 2019 alone, accounting for 40% of total cyber crime losses.

In the case of Cosmic Lynx, Hassold said the group was developing BEC attacks that set them apart from the more generic types of scam, and has apparently targeted at least 200 organisations since this time last year, most of them global multinationals.

Cosmic Lynx’s method involves what Agari describes as a dual impersonation scheme. In this scenario, the target organisation is supposedly about to close an acquisition of a large Asian company. The criminals first impersonate their target’s CEO to ask an employee to liaise with “external legal counsel” over the final payment needed for closure. They then deploy the hijacked identity of a genuine lawyer at a UK-based practice to facilitate the payment.

Dangerously, the group is able to exploit Dmarc controls to spoof the impersonated email addresses, which can help them get around security systems that may otherwise reject or quarantine the phishes.

Cosmic Lynx has registered several domains in a style that mimics secure email or network infrastructure, and has registered a number of these domains with NiceVPS, described as a bulletproof hosting and anonymous domain provider.

Hassold said its infrastructure was also linked to other types of activity more usually associated with Russian actors, including the Emotet and Trickbot trojans.

In the second and final stage of the attack, the victim transfers a large sum – on average $1.27m, far above the amounts more usually requested in BEC attacks – through mule accounts, mostly located in Hong Kong, although others have been detected in Hungary, Portugal and Romania.

Read more about BEC attacks

Jelle Wieringa, technical evangelist at KnowBe4, said it was only a matter of time before more refined and sophisticated BEC attacks emerged.

“Cyber criminals like to work as smart as possible, with the most return on investment for their time spent,” he said. “Going after larger organisations, where there is more to be gained, and targeting higher-up representatives who have more authority to approve transactions of larger sums, was to be expected. 

“Groups like Cosmic Lynx go to show the importance of creating awareness for cyber security throughout the whole organisation. Social engineering attacks like BEC will affect everyone, no matter what role or position you occupy.”

Chris Ross, senior vice-president at Barracuda Networks, added: “BEC schemes remain active and prevalent, posing a huge risk to unsuspecting organisations. This type of spear-phishing attack has been trending, with Barracuda Sentinel detecting 467,825 spear-phishing email attacks between 1 March and 23 March – a 667% increase.

“Tackling this issue requires companies to invest in the very latest email protection systems and also ensure that every employee is acutely aware of these scams and how they operate.”

The Agari disclosure comes just days after the high-profile arrest and extradition to the US of a Dubai-based Nigerian national, Ramon Abbas, on charges of running an elaborate international BEC campaign, including an attempt to swindle £100m from an unnamed Premier League football club.

Abbas, who went by the handle “hushpuppi” on Instagram, where he courted over two million followers and posted photos of luxury hotels and cars, faces 20 years in jail if found guilty.

Next Steps

COVID, gift cards and phony acquisitions top BEC attack trends

Read more on Hackers and cybercrime prevention