Page:NSA Report on Russia Spearphishing.pdf/2

 DIRNSA and beacon out to malicious infrastructure. In October 2016, the actors also created a new e-mail address that was potentially used to offer election-related products and services, presumably to U. S.-based targets. Lastly, the actors sent test e-mails to two non-existent accounts ostensibly associated with absentee balloting, presumably with the purpose of creating those accounts to mimic legitimate services.

Campaign Against U. S. Company 1 and Voter Registration-Themed Phishing of U. S. Local Government Officials (S//SI//REL TO USA, FVEY/FISA)

Russian Cyber Threat Actors Target U. S. Company 1 (S//REL TO USA, FVEY/FISA)

(TS//SI//OC/REL TO USA, FVEY/FISA) Cyber threat actors executed a spear-phishing campaign from the email address noreplyautomaticservice@gmail.com on 24 August 2016 targeting victims that included employees of U. S. Company 1, according to information that became available in April 2017. This campaign appeared to be designed to obtain the end-users’ e-mail credentials by enticing the victims to click on an embedded link within a spoofed Google Alert e-mail, which would redirect the user to the malicious domain. The following potential victims were identified: (TS//SI//OC/REL TO USA, FVEY/FISA) Three of the malicious e-mails were rejected by the e-mail server with the response message that the victim’s addresses did not exist. The three rejected e-mail addresses were U. S. e-mail addresses 1 to 3 associated with U. S. Company 1. Page 2
 * U. S. e-mail address 1 associated with U. S. Company 1,
 * U. S. e-mail address 2 associated with U. S. Company 1,
 * U. S. e-mail address 3 associated with U. S. Company 1,
 * U. S. e-mail address 4 associated with U. S. Company 1,
 * U. S. e-mail address 5 associated with U. S. Company 1,
 * U. S. e-mail address 6 associated with U. S. Company 1, and
 * U. S. e-mail address 7 associated with U. S. Company 1.