Security Experts:

Connect with us

Hi, what are you looking for?



Russian Hackers Target European Governments Ahead of Elections: FireEye

Hackers believed to be sponsored by the Russian government are targeting European governments for cyber-espionage purposes ahead of the upcoming European elections, FireEye reports. 

Hackers believed to be sponsored by the Russian government are targeting European governments for cyber-espionage purposes ahead of the upcoming European elections, FireEye reports. 

The targeting, the security firm says, is focused on NATO member states. The activity has increased significantly since mid-2018, and is ongoing. 

The attacks are being carried out by two groups that security companies refer to as APT28 (also known as Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, Tsar Team and Strontium) and Sandworm Team (also tracked as TeleBots). 

When announcing the takedown of the “VPNFilter” botnet last year, the US Justice Department referred to the actor behind the botnet as both APT28 and Sandworm. The two, however, are seen as separate groups by security firms, although their activity is related. 

Both cyber-espionage groups, FireEye says in a report shared with SecurityWeek, are sponsored by the Russian state. 

The activity of APT28 and Sandworm Team appears aligned, although each uses different tools and methods. The former employs custom tools and has been observed deploying zero-day exploits, while the latter tends to use publicly available tools. 

In addition to European government organizations, the groups have also targeted media outlets in France and Germany, political opposition groups in Russia, and LGBT organizations with links to Russia, the security firm says. 

Usually, these hackers leverage spear-phishing as the initial method of compromise, to deliver either malicious documents or links to fake login sites, which attempt to steal passwords. The attackers also register domains similar to those that the intended victims are familiar with. 

Targets within European governments have received emails that displayed a seemingly genuine sender and which contained links that appeared to direct to real government websites. The emails attempted to trick victims into revealing their credentials to the attackers.

“The groups could be trying to gain access to the targeted networks in order to gather information that will allow Russia to make more informed political decisions, or it could be gearing up to leak data that would be damaging for a particular political party or candidate ahead of the European elections,” said Benjamin Read, Senior Manager of Cyber Espionage Analysis at FireEye. 

“The link between this activity and the European elections is yet to be confirmed, but the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers.”

FireEye says they notified targeted organizations after identifying attacks, whenever possible. 

Related: UK, Australia Blame Russia for Bad Rabbit, Other Attacks

Related: FBI Attribution of ‘VPNFilter’ Attack Raises Questions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.