Russia-linked hacker group APT28 continues to target Montenegro

Once again, Montenegro was targeted by the Russia-linked hacker group APT28, according to the experts it is just the beginning.

On June 5 Montenegro officially joined NATO alliance despite the strong opposition from Russian Government that threatened to retaliate.

Cybersecurity experts believe that a new wave of attacks from the cyberspace will hit the state. In February, for the second time in a few months, Montenegro suffered massive and prolonged cyberattacks against government and media websites.

Researchers at security firm FireEye who analyzed the attacks observed malware and exploits associated with the notorious Russia-linked APT group known as APT28 (aka Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit, and Tsar Team).

Another massive attack hit the country’s institutions during October elections, amid speculation that the Russian Government was involved.

In the last string of attacks, hackers  targeted Montenegro with spear phishing attacks, the malicious messages used weaponized documents pertaining to a NATO secretary meeting and a visit by a European army unit to Montenegro.

The hackers delivered the GAMEFISH backdoor (aka Sednit, Seduploader, JHUHUGIT and Sofacy), a malware that was used only by the APT28 group in past attacks.

According to FireEye, the documents delivered the backdoor via a Flash exploit framework dubbed DealersChoice.

“NATO expansion is often viewed as a security threat by the Russian Federation, and Montenegro’s bid for membership was strongly contested by Russia and the pro-Russia political parties in Montenegro,” Tony Cole, vice president and chief technology officer for global government at FireEye, told journalists today.” reportedEl Reg.

“It’s likely that this activity is a part of APT28’s continued focus on targeting various NATO member states, as well as the organization itself. Russia has strongly opposed Montenegro’s NATO accession process and is likely to continue using cyber capabilities to undermine Montenegro’s smooth integration into the alliance,”

The bait documents first gather information of the target system in an effort to determine which version of Flash Player it is running on the machine, then it connects the C&C server to receive the appropriate Flash exploit. The exploits used in the attacks include the code to trigger the CVE-2015-7645 and CVE-2016-7855, are used to deliver GAMEFISH.

At the time I’m writing there is no news about the specific targets of the campaign neither is the attacks were successful.

Clearly, APT28’s and other Russian linked APT will continue to target the country such as other NATO member states.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Montenegro, APT28)

[adrotate banner=”5″]

[adrotate banner=”13″]