Russian Hackers Target European Governments Ahead of Elections: FireEye

Hackers believed to be sponsored by the Russian government are targeting European governments for cyber-espionage purposes ahead of the upcoming European elections, FireEye reports. 

The targeting, the security firm says, is focused on NATO member states. The activity has increased significantly since mid-2018, and is ongoing. 

The attacks are being carried out by two groups that security companies refer to as APT28 (also known as Pawn Storm, Fancy Bear, Sofacy, Group 74, Sednit, Tsar Team and Strontium) and Sandworm Team (also tracked as TeleBots). 

When announcing the takedown of the “VPNFilter” botnet last year, the US Justice Department referred to the actor behind the botnet as both APT28 and Sandworm. The two, however, are seen as separate groups by security firms, although their activity is related. 

Both cyber-espionage groups, FireEye says in a report shared with SecurityWeek, are sponsored by the Russian state. 

The activity of APT28 and Sandworm Team appears aligned, although each uses different tools and methods. The former employs custom tools and has been observed deploying zero-day exploits, while the latter tends to use publicly available tools. 

In addition to European government organizations, the groups have also targeted media outlets in France and Germany, political opposition groups in Russia, and LGBT organizations with links to Russia, the security firm says. 

Usually, these hackers leverage spear-phishing as the initial method of compromise, to deliver either malicious documents or links to fake login sites, which attempt to steal passwords. The attackers also register domains similar to those that the intended victims are familiar with. 

Targets within European governments have received emails that displayed a seemingly genuine sender and which contained links that appeared to direct to real government websites. The emails attempted to trick victims into revealing their credentials to the attackers.

“The groups could be trying to gain access to the targeted networks in order to gather information that will allow Russia to make more informed political decisions, or it could be gearing up to leak data that would be damaging for a particular political party or candidate ahead of the European elections,” said Benjamin Read, Senior Manager of Cyber Espionage Analysis at FireEye. 

“The link between this activity and the European elections is yet to be confirmed, but the multiple voting systems and political parties involved in the elections creates a broad attack surface for hackers.”

FireEye says they notified targeted organizations after identifying attacks, whenever possible. 

Related: UK, Australia Blame Russia for Bad Rabbit, Other Attacks

Related: FBI Attribution of ‘VPNFilter’ Attack Raises Questions