Security Experts:

Connect with us

Hi, what are you looking for?



Russian Hackers Used Two Zero-Days in Recent Targeted Attack: FireEye

APT28 Attackers

APT28 Attackers

FireEye said on Saturday that it recently detected a highly targeted attack exploiting two zero-day vulnerabilities in an effort to compromise an “international government entity” in an industry vertical that aligns with known targets hit by a threat actor group which FireEye calls APT28.

FireEye has described APT28 as a skilled team of developers and operators collecting intelligence on defense and geopolitical issues that would clearly benefit Russia. The security firm previously traced cyber-espionage campaigns by the group that date back to 2007.

FireEye said that it first detected the attacks on April 13th, 2015, when the attackers attempted to exploit two zero-day vulnerabilities, including a recently patched flaw in Adobe Flash (CVE-2015-3043) and a brand new one in Microsoft Windows (CVE-2015-1701).

Through its analysis and technical indicators and command and control infrastructure, FireEye believes that the APT28 attackers are responsible for the campaign, which it is calling “Operation RussianDoll”.

Despite use of the two zero-days, the attackers were said to be unsuccessful in breaching their target. A FireEye spokesperson told SecurityWeek that it detected the exploits as they were delivered which prevented an intrusion.

According to FireEye, the exploit process takes place like this:

1. User clicks link to attacker controlled website

2. HTML/JS launcher page serves Flash exploit

3. Flash exploit triggers CVE-2015-3043, executes shellcode

4. Shellcode downloads and runs executable payload

5. Executable payload exploits local privilege escalation (CVE-2015-1701) to steal System token

The CVE-2015-3043 exploit delivers a malware variant that shares characteristics with the APT28 backdoors CHOPSTICK and CORESHELL malware families, both described in FireEye’s initial report on APT28.

“One of the C2 locations for the new payload, 87.236.215[.]246, also hosts a suspected APT28 domain ssl-icloud[.]com,” FireEye said.

The payload contains an exploit for the unpatched local privilege escalation vulnerability CVE-2015-1701 in Microsoft Windows. The exploit does not affect Windows 8 and later.

“While there is not yet a patch available for the Windows vulnerability, updating Adobe Flash to the latest version will render this in-the-wild exploit innocuous,” FireEye noted in a blog post. “We have only seen CVE-2015-1701 in use in conjunction with the Adobe Flash exploit for CVE-2015-3043. We are working with the Microsoft Security Team on CVE-2015-1701.”

“Because CVE-2015-3043 is already patched, this remote exploit will not succeed on a fully patched system,” FireEye said. “If an attacker wanted to exploit CVE-2015-1701, they would first have to be executing code on the victim’s machine. Baring authorized access to the victim’s machine, the attacker would have to find some other means, such as crafting a new Flash exploit, to deliver a CVE-2015-1701 payload.”

Earlier this week, Trend Micro reported new activity on “Operation Pawn Storm” which is assumed to be the same threat actors tracked by FireEye as APT28. According to the most recent report from Trend Micro, the APT group has introduced new infrastructure and is “zeroing in” on targets including the White House and NATO members.

Trend Micro also eluded to possible connections with the Russian government. “We determined that the group also aimed its attacks on Russian dissidents and those opposing the Kremlin, as well as Ukrainian activists and military, which has led some to speculate that there might be a connection with the Russian government,” Feike Hacquebord, a Senior Threat Researcher at Trend Micro, noted in a blog post on Thursday.

Last year FireEye was able to trace at least two specific attempts by APT28 to target the Georgian Ministry of Internal Affairs, the Ministry of Defense, and a U.S. defense contractor that was training the Georgian military.

*Updated to include name of campaign and modified headline

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.