Connect with us

Hi, what are you looking for?


Tracking & Law Enforcement

Russian Cyber Espionage Group Planning to Hit Banks: Report

APT28, the notorious cyber espionage group that is believed to be sponsored by the Russian government, is planning to attack various financial institutions from across the world, according to a report published on Tuesday by cybersecurity services and training provider root9B.

APT28, the notorious cyber espionage group that is believed to be sponsored by the Russian government, is planning to attack various financial institutions from across the world, according to a report published on Tuesday by cybersecurity services and training provider root9B.

APT28 has been around since at least 2007. The threat actor, analyzed by several security firms over the past months, is known under various names, including Pawn Storm, Sednit, Fancy Bear, Tsar Team, and Sofacy. A report published by FireEye in October 2014 showed a direct link between the advanced persistent threat (APT) group and Russia.

FireEye noted in that report that APT28 had not been seen trying to steal and profit from financial account information. However, root9B says it has uncovered plans by the threat group to target international financial institutions.

The list of organizations that appear to be targeted by the attackers includes Bank of America, TD Canada Trust, Regions Bank, the United Nations Children’s Fund, United Bank for Africa, Commercial Bank International (CBI) in the United Arab Emirates, and possibly Germany-based Commerzbank.

The security firm says it has notified authorities in the United States and the UAE, and the security teams of the targeted financial institutions of APT28’s plans.

“While none of the targeted organizations are clients of root9B, we felt it imperative to disclose the findings to them, and as broadly as possible to the security community,” said Eric Hipkins, CEO of root9B.

The security firm said it discovered the threat group’s plans at the end of April during routine security analysis. Researchers stumbled upon a spear-phishing domain aimed at the UAE-based financial organization. The domain attracted the attention of experts because it was hosted on a server known to be associated with state-sponsored operations. They also discovered several pieces of new malware with signatures specific to APT28.

The attackers registered several CBI phishing domains using fictitious information. The phishing domains for the other targeted banks were discovered by researchers because they had been registered using similar fake registration details.

Advertisement. Scroll to continue reading.

Researchers determined that the malicious actors started preparations for this campaign back in June 2014.

“While the continued vector of the attack remains unclear, root9B assesses that it will most likely be a spear-phishing campaign. This attack vector will likely use a well-crafted email containing either a malicious file or web hyperlink to what recipients believe is the actual website; but is instead a fake landing page,” the security firm wrote in its report.

Experts noted that while such phishing websites are usually utilized to trick users into handing over personal and financial information, it’s possible that the threat group could try to use the servers hosting the phishing pages to deliver malware that gives them access to victims’ networks.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

More People On The Move

Expert Insights

Related Content


Daniel Kelley was just 18 years old when he was arrested and charged on thirty counts – most infamously for the 2015 hack of...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

CISO Strategy

The SEC filed charges against SolarWinds and its CISO over misleading investors about its cybersecurity practices and known risks.


A global cyber espionage campaign has resulted in the networks of many organizations around the world becoming compromised after the attackers managed to breach...


US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...