Security Experts:

FireEye Links Russia to Cyber Espionage Campaign Dating Back to 2007

APT28 Attackers

Security firm FireEye has released a new report uncovering and detailing a large cyber-espionage campaign that the company believes is sponsored by the Russian government and dates back to 2007.

The group behind the campaign, which FireEye is calling APT28, is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues that would clearly benefit Russia.

Unlike many attacks often attributed to China and detailed in Mandiant’s (now part of FireEye) APT1 report released in 2013, the APT28 attackers do not appear to be after intellectual property theft for economic gain. FireEye said the attackers have not been seen trying to steal and profit from financial account information.

"This threat group has ben tracked pretty heavily by the community over the last six months,” Dan McWhorter, FireEye VP of Threat Intelligence, told SecurityWeek. Other researchers and firms have referred to the malware used in the attacks as “Sofacy,” McWhorter said.

Last week, Trend Micro released a report on a cyber-espionage operation dubbed "Operation Pawn Storm" which targeted military, government and media organizations around the world and utilized the Sofacy malware.

But according to McWhorter, the direct link and attribution to Russia is what FireEye is highlighting in its APT28 report.

According to FireEye, the threat actors behind APT28 are after insider information related to governments, militaries, and security organizations that would likely benefit the Russian government. Targets include the Caucasus (particularly the Georgian government), Eastern European governments and militaries, and specific security organizations.

"APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe," FireEye reported.

FireEye’s analysis also revealed that APT28 has been “systematically updating their malware” since 2007 and are supported by developers creating tools intended for long-term use and versatility.

Based on the analysis of the pieces of malware used by the threat group, researchers determined that more than 96% of the samples have been compiled between Monday and Friday, with close to 90% of them built between 8AM and 6PM UTC+4, which corresponds to the cities of Moscow and St. Petersburg.

“We feel we tied together enough evidence to make it conclusive that Russia was the government sponsoring the activity,” McWhorter said.

Tools leveraged by the APT28 attackers include the SOURFACE downloader, a second stage backdoor called EVILTOSS, and a modular family of implants written in C++ that FireEye calls CHOPSTICK.

Features of CHOPSTICK include the ability to collect detailed information from infected host machines including the Windows version, CPU architecture, Windows Firewall state, User Account Control configuration settings on Windows Vista and above and Internet Explorer settings. The malware also tests for the installation of specific security products and applications, FireEye said.

Interestingly, the report (PDF) explained that that two separate CHOPSTICK backdoors could contain “vastly different functionality”, depending on which modules were included at compile time.

Similar to many other attacks, APT28 uses spearphishing emails to target its victims.

The attackers have attempted to obfuscate their code and utilize techniques to make analysis challenging, FireEye said, including counter-reverse engineering tactics via unused machine instructions and creating much “unnecessary noise” in the disassembly. Additionally, the malware leverages runtime checks, attempting to determine if they are executing in an analysis (virtual) environment, and if so, remain dormant and do not launch their payloads.

APT28 Targets

According to FireEye, APT28 made at least two specific attempts to target the Georgian Ministry of Internal Affairs, the Ministry of Defense, and a U.S. defense contractor that was training the Georgian military.

The attackers also zoned in on a specific journalist covering issues in the Caucasus region, and had interest those involved in the Baltic Host, an annual logistics planning exercise hosted by either Estonia, Latvia, or Lithuania, all of which Border Russia. 

“Such targets would potentially provide APT28 with sensitive tactical and strategic intelligence concerning regional military capabilities and relationships,” FireEye said.

Several of the domains APT28 registered imitated NATO domain names, including those of NATO Special Operations Headquarters and the NATO Future Forces Exhibition.

The threat actors also targeted attendees of European defense exhibitions, including the Farnborough Airshow 2014, EuroNaval 2014, EUROSATORY 2014, and the Counter Terror Expo.

Other “probable” targets identified by FireEye include:

• Norwegian Army (Forsvaret)

• Government of Mexico

• Chilean Military

• Pakistani Navy

• U.S. Defense Contractors

• European Embassy in Iraq

• Special Operations Forces Exhibition (SOFEX) in Jordan

• Defense Attaches in East Asia

• Asia-Pacific Economic Cooperation (APEC)

• Al-Wayi News Site

At the time of publishing the report, FireEye had identified 103 malware samples that says were attributed to APT28, but McWhorter believes there is a great deal more.

Earlier this month, iSight Partners revealed that a threat group allegedly linked with the Russian government had been leveraging a Microsoft Windows zero-day vulnerability to target NATO, the European Union, and various private energy and telecommunications organizations in Europe. The group has been dubbed the "Sandworm Team" and it has been using weaponized PowerPoint files in its recent attacks.

According to researchers at Trend Micro, the Sandworm team may also have their eyes set on compromising SCADA-based systems.

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.