APT28: FireEye uncovered a Russian cyber espionage campaign

APT28: FireEye has issued a new report uncovering a large scale cyber-espionage campaign that appears sponsored by the Russian government.

A report published by FireEye reveals that a group of Russian hackers, dubbed APT28, is behind long-running cyber espionage campaigns that targeted US defense contractors, European security organizations and Eastern European government entities.

The hackers also targeted attendees of European defense exhibitions, including the EuroNaval 2014, EUROSATORY 2014, and the Counter Terror Expo and the Farnborough Airshow 2014.

Recently, principal security firms (Cisco, FireEye, F-Secure, iSight Partners, Microsoft, Tenable and others) were involved in a joint effort dubbed Operation SMN against the cyber espionage group known as Hidden Lynx and its arsenal.

FireEye researchers collected evidence that the APT28 group is linked to the Russian Government, the team of hackers “does not appear to conduct widespread intellectual property theft for economic gain, but instead is focused on collecting intelligence that would be most useful to a government.”

“APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe,” FireEye reported.”

APT28 is active since 2007 and it has targeted governments, militaries, and security organizations. The group focused its hacking campaign on targets that would be of interest to Russia, such as the Caucasus region with a focus on Georgia.

“Despite rumors of the Russian government’s alleged involvement in high-profile government and military cyber-attacks, there has been little hard evidence of any link to cyberespionage,” said Dan McWhorter, FireEye vice president of threat intelligence. “FireEye’s latest advance persistent threat report sheds light on cyberespionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks.”

The majority of the files analyzed by experts at FireEye were set to Russian language settings, this circumstance suggests “that a significant portion of APT28 malware was compiled in a Russian-language build environment consistently over the course of six years.”

Also the timing related to the malware design suggest the involvement of a Russia-based team, nearly 96 percent of the malware was compiled between a Monday and Friday during an 8 AM to 6 PM work day in the Moscow time zone.

The APT28 used spear phishing emails to trick victims into to open the infected file or to serve a malicious link.

The APT28 group has used for his hacking campaigns numerous common tools, including a downloader called Sourface (aka Sofacy), the backdoor Eviltoss and the modular implant known as Chopstick.

Sofacy was also used in the cyber espionage campaign dubbed “Operation Pawn Storm” recently uncovered by TrendMicro, which targeted military, government and media organizations worldwide.

In particular, Chopstick caught the attention of researchers because it “demonstrate formal coding practices indicative of methodical, diligent programmers. Chopstick is a modular agent that appears very flexible and according to the experts it is designed for long-term use and versatility. In the

In the report, the experts analyzed two different instances of CHOPSTICK containing “vastly different functionality”, depending on modules the authors included in the malicious agent.

Backdoor Eviltoss use asymmetric encryption to encrypt siphoned data from victims, and some sample detected by the experts also use SMTP to transfer stolen data outside the organization.

“APT28 is most likely supported by a group of developers creating tools intended for long-term use and versatility, who make an effort to obfuscate their activity,” it wrote. “This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely a nation state government.”

Let me invite you to read the excellent report that could be downloaded here:http://www.fireeye.com/resources/pdfs/apt28.pdf.

[adrotate banner=”9″]

Pierluigi Paganini

Security Affairs –  (APT28, cyber espionage)