Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

FireEye Links Russia to Cyber Espionage Campaign Dating Back to 2007

APT28 Attackers

APT28 Attackers

Security firm FireEye has released a new report uncovering and detailing a large cyber-espionage campaign that the company believes is sponsored by the Russian government and dates back to 2007.

The group behind the campaign, which FireEye is calling APT28, is a skilled team of developers and operators collecting intelligence on defense and geopolitical issues that would clearly benefit Russia.

Unlike many attacks often attributed to China and detailed in Mandiant’s (now part of FireEye) APT1 report released in 2013, the APT28 attackers do not appear to be after intellectual property theft for economic gain. FireEye said the attackers have not been seen trying to steal and profit from financial account information.

“This threat group has ben tracked pretty heavily by the community over the last six months,” Dan McWhorter, FireEye VP of Threat Intelligence, told SecurityWeek. Other researchers and firms have referred to the malware used in the attacks as “Sofacy,” McWhorter said.

Last week, Trend Micro released a report on a cyber-espionage operation dubbed “Operation Pawn Storm” which targeted military, government and media organizations around the world and utilized the Sofacy malware.

But according to McWhorter, the direct link and attribution to Russia is what FireEye is highlighting in its APT28 report.

According to FireEye, the threat actors behind APT28 are after insider information related to governments, militaries, and security organizations that would likely benefit the Russian government. Targets include the Caucasus (particularly the Georgian government), Eastern European governments and militaries, and specific security organizations.

“APT28 appeared to target individuals affiliated with European security organizations and global multilateral institutions. The Russian government has long cited European security organizations like NATO and the OSCE as existential threats, particularly during periods of increased tension in Europe,” FireEye reported.

Advertisement. Scroll to continue reading.

FireEye’s analysis also revealed that APT28 has been “systematically updating their malware” since 2007 and are supported by developers creating tools intended for long-term use and versatility.

Based on the analysis of the pieces of malware used by the threat group, researchers determined that more than 96% of the samples have been compiled between Monday and Friday, with close to 90% of them built between 8AM and 6PM UTC+4, which corresponds to the cities of Moscow and St. Petersburg.

“We feel we tied together enough evidence to make it conclusive that Russia was the government sponsoring the activity,” McWhorter said.

Tools leveraged by the APT28 attackers include the SOURFACE downloader, a second stage backdoor called EVILTOSS, and a modular family of implants written in C++ that FireEye calls CHOPSTICK.

Features of CHOPSTICK include the ability to collect detailed information from infected host machines including the Windows version, CPU architecture, Windows Firewall state, User Account Control configuration settings on Windows Vista and above and Internet Explorer settings. The malware also tests for the installation of specific security products and applications, FireEye said.

Interestingly, the report (PDF) explained that that two separate CHOPSTICK backdoors could contain “vastly different functionality”, depending on which modules were included at compile time.

Similar to many other attacks, APT28 uses spearphishing emails to target its victims.

The attackers have attempted to obfuscate their code and utilize techniques to make analysis challenging, FireEye said, including counter-reverse engineering tactics via unused machine instructions and creating much “unnecessary noise” in the disassembly. Additionally, the malware leverages runtime checks, attempting to determine if they are executing in an analysis (virtual) environment, and if so, remain dormant and do not launch their payloads.

APT28 Targets

According to FireEye, APT28 made at least two specific attempts to target the Georgian Ministry of Internal Affairs, the Ministry of Defense, and a U.S. defense contractor that was training the Georgian military.

The attackers also zoned in on a specific journalist covering issues in the Caucasus region, and had interest those involved in the Baltic Host, an annual logistics planning exercise hosted by either Estonia, Latvia, or Lithuania, all of which Border Russia. 

“Such targets would potentially provide APT28 with sensitive tactical and strategic intelligence concerning regional military capabilities and relationships,” FireEye said.

Several of the domains APT28 registered imitated NATO domain names, including those of NATO Special Operations Headquarters and the NATO Future Forces Exhibition.

The threat actors also targeted attendees of European defense exhibitions, including the Farnborough Airshow 2014, EuroNaval 2014, EUROSATORY 2014, and the Counter Terror Expo.

Other “probable” targets identified by FireEye include:

• Norwegian Army (Forsvaret)

• Government of Mexico

• Chilean Military

• Pakistani Navy

• U.S. Defense Contractors

• European Embassy in Iraq

• Special Operations Forces Exhibition (SOFEX) in Jordan

• Defense Attaches in East Asia

• Asia-Pacific Economic Cooperation (APEC)

• Al-Wayi News Site

At the time of publishing the report, FireEye had identified 103 malware samples that says were attributed to APT28, but McWhorter believes there is a great deal more.

Earlier this month, iSight Partners revealed that a threat group allegedly linked with the Russian government had been leveraging a Microsoft Windows zero-day vulnerability to target NATO, the European Union, and various private energy and telecommunications organizations in Europe. The group has been dubbed the “Sandworm Team” and it has been using weaponized PowerPoint files in its recent attacks.

According to researchers at Trend Micro, the Sandworm team may also have their eyes set on compromising SCADA-based systems.

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is founder and director of several leading cybersecurity industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.