Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Zebrocy Campaign Suggests Russia Continues Attacks on NATO

QuoINT security researchers have identified a new Zebrocy campaign targeting countries associated with the North Atlantic Treaty Organization (NATO).

QuoINT security researchers have identified a new Zebrocy campaign targeting countries associated with the North Atlantic Treaty Organization (NATO).

Detailed for the first time in 2018, Zebrocy has been associated with the Russia-linked state-sponsored threat actor APT28 (also known as Fancy Bear, Pawn Storm, Sednit, and Strontium), which has been active since at least 2007.

While some security researchers see Zebrocy as a separate adversary, others have shown connections between various threat actors operating out of Russia, including a link between GreyEnergy and Zebrocy attacks.

The recently observed campaign, which likely started on August 5, employed the Delphi version of the Zebrocy malware and a command and control (C&C) infrastructure hosted in France, QuoINT’s security researchers reveal.

Lures employed in these attacks had a NATO-related theme, a recurring motif in APT28 campaigns — the adversary used a similar theme in attacks in 2017. The intended victim in the new attacks was a specific government body in Azerbaijan, but other NATO members or countries involved in NATO exercises might have been targeted as well.

The attackers distributed what appeared to be a JPEG image that, instead, turned out to be a ZIP archive concatenated to evade detection. The file drops the Zebrocy executable and a corrupted Excel file, likely in an attempt to lure the intended victim into executing the malware.

Once executed, the malware creates a scheduled task to regularly attempt to send stolen data to a remote domain. On machines that the C&C server appears to find uninteresting, the connection is terminated by the server.

“QuoINT concludes with medium-high confidence that the campaign targeted a specific government body, at least in Azerbaijan. Although Azerbaijan is not a NATO member, it closely cooperates with the North-Atlantic organizations and participates in NATO exercises. Further, the same campaign very likely targeted other NATO members or countries cooperating with NATO exercises,” QuoINT says.

Advertisement. Scroll to continue reading.

The security researchers also note that this APT28 attack shows striking similarities with a ReconHellcat/ BlackWater attack uncovered last month: the compressed Zebrocy malware and the lure in the BlackWater attack were both uploaded on August 5 by the same user in Azerbaijan (highly likely by the same organization), the attacks happened simultaneously, and victimology is similar in both attacks.

Furthermore, the researchers point out that APT28 previously targeted both NATO and the Organization for Security and Co-operation in Europe (OSCE) — the ReconHellcat campaign was employing OSCE-themed lures — but that there’s no “strong causation link […] or solid technical link between the two attacks.”

“We assessed ReconHellcat as a high-capability APT group, like APT28,” QuoINT concludes.

Related: FBI, NSA Share Details on New ‘Drovorub’ Linux Malware Used by Russia

Related: NSA Publishes IOCs Associated With Russian Targeting of Exim Servers

Related: Phishing Campaign Targeting Ukrainian Firm Burisma Linked to Russian Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.