Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Zebrocy Campaign Suggests Russia Continues Attacks on NATO

QuoINT security researchers have identified a new Zebrocy campaign targeting countries associated with the North Atlantic Treaty Organization (NATO).

QuoINT security researchers have identified a new Zebrocy campaign targeting countries associated with the North Atlantic Treaty Organization (NATO).

Detailed for the first time in 2018, Zebrocy has been associated with the Russia-linked state-sponsored threat actor APT28 (also known as Fancy Bear, Pawn Storm, Sednit, and Strontium), which has been active since at least 2007.

While some security researchers see Zebrocy as a separate adversary, others have shown connections between various threat actors operating out of Russia, including a link between GreyEnergy and Zebrocy attacks.

The recently observed campaign, which likely started on August 5, employed the Delphi version of the Zebrocy malware and a command and control (C&C) infrastructure hosted in France, QuoINT’s security researchers reveal.

Lures employed in these attacks had a NATO-related theme, a recurring motif in APT28 campaigns — the adversary used a similar theme in attacks in 2017. The intended victim in the new attacks was a specific government body in Azerbaijan, but other NATO members or countries involved in NATO exercises might have been targeted as well.

The attackers distributed what appeared to be a JPEG image that, instead, turned out to be a ZIP archive concatenated to evade detection. The file drops the Zebrocy executable and a corrupted Excel file, likely in an attempt to lure the intended victim into executing the malware.

Once executed, the malware creates a scheduled task to regularly attempt to send stolen data to a remote domain. On machines that the C&C server appears to find uninteresting, the connection is terminated by the server.

“QuoINT concludes with medium-high confidence that the campaign targeted a specific government body, at least in Azerbaijan. Although Azerbaijan is not a NATO member, it closely cooperates with the North-Atlantic organizations and participates in NATO exercises. Further, the same campaign very likely targeted other NATO members or countries cooperating with NATO exercises,” QuoINT says.

Advertisement. Scroll to continue reading.

The security researchers also note that this APT28 attack shows striking similarities with a ReconHellcat/ BlackWater attack uncovered last month: the compressed Zebrocy malware and the lure in the BlackWater attack were both uploaded on August 5 by the same user in Azerbaijan (highly likely by the same organization), the attacks happened simultaneously, and victimology is similar in both attacks.

Furthermore, the researchers point out that APT28 previously targeted both NATO and the Organization for Security and Co-operation in Europe (OSCE) — the ReconHellcat campaign was employing OSCE-themed lures — but that there’s no “strong causation link […] or solid technical link between the two attacks.”

“We assessed ReconHellcat as a high-capability APT group, like APT28,” QuoINT concludes.

Related: FBI, NSA Share Details on New ‘Drovorub’ Linux Malware Used by Russia

Related: NSA Publishes IOCs Associated With Russian Targeting of Exim Servers

Related: Phishing Campaign Targeting Ukrainian Firm Burisma Linked to Russian Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.