Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10/29/2014
06:30 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Espionage Attacks Attributed To Russian Government

FireEye report meticulously details clues that all point to state-sponsorship of the Sofacy/Sourface malware and tracks its evolution over seven years.

A new round of details released yesterday on the nearly decade-long activity by the group of hackers responsible for the Sofacy malware family has researchers from FireEye definitively pointing their fingers at the Russian government as the sponsor of the group.

Following up on the Operation Pawn Storm report from TrendMicro last week, FireEye provided greater historical context and details about the modus operandi of the actors in question, who make up a hacking collective they call APT28. Tracing activity back seven years through attacks found to be based on modularly designed malware, FireEye says it has solidified what's only been a dotted line connection between the Russian government and the Sofacy malware family -- also known as SEDNIT -- which consists of a dropper FireEye calls Sourface, along with the Eviltoss backdoor malware, and a modular implant called Chopstick.

"This Russian government-backed type of espionage has been very mysterious and hard to nail down over all these years on the Internet," says Dan McWhorter, lead researcher for the report and vice president of threat intelligence for FireEye. "In my opinion after looking at our research, it confirms that yes, in fact, the Russian government is doing this, and it gives us a body of evidence to put against that assertion that wasn’t there previously."

The evidence laid out by FireEye includes several important clues. As TrendLabs and other researchers have already publicly shown, FireEye research similarly found that APT28 has targeted European security-related organizations such as NATO, OSCE, and defense events and exhibitions. Additionally, FireEye pointed to attacks against Eastern European governments and militaries of particular interest to the Russian government, such as Poland's and Hungary's.  

In particular, though, this latest report includes evidence of what McWhorter calls "almost a fascination of the Caucasus countries, Georgia in particular," in its targeted attacks utilizing Sourface. This tracks with the security community's hunch since the first sparks of the Georgia-South Ossetia conflict back in 2008 that cyber mercenaries have been carrying out Russian government bidding to move forward the country's interests in the region.

In addition to the intel about APT28's targets, this most recent report also showed further evidence that bolsters the claim that the Russian government is behind these attacks. First, all of the code created for these constantly updated malware variants is developed by coders who speak Russian as a first language and is compiled almost exclusively during business hours in the Moscow and St. Petersburg time zones. And more tellingly, the malicious software developed by the group is perpetuated through "flexible and lasting platforms" that have been evolved since 2007.

"The targeting was consistent, the growth of the malware was consistent, the dedication to the mission over seven years remained consistent," McWhorter says. "So we got this development that went on steadily for seven years that required a whole development team in modular malware and that obviously took some level of funding. People weren’t doing it for fun off to the side."

According to Tom Kellermann, chief cybersecurity officer for Trend Micro, while the "FireEye report is pretty good," he was disappointed that it didn't include further information about the prevalent attack techniques used by the group, namely the use of targeted phishing attacks against Outlook Web Access (OWA) users using typo squatted domains of defense exhibitions.

"We also investigated advanced phishing of Google, Yahoo, Live, Hushmail, and Yandex free mail, by the same group. This is not targeted at free mail users in general but only at very specific users -- of defense contractors and even government officials who use Gmail or Yahoo for sensitive stuff," Kellerman says. "We leaked credentials on purpose to the attackers and monitored what happened. We witnessed that the attackers logged in on the compromised accounts and tried to download mail with IMAP connections. They used IP addresses in the US and Latvia for that."

However, McWhorter says that the intent of this report was more about attribution and following the evolution of the malware platform used by APT28 than anything else. In particular, he said, it was interesting to follow the behavioral patterns of a group tied to the Russian government versus a Russian financial crime ring.

"People tend to combine together Eastern European financial crime with the Russian government, but they're very distinct," he says. "One may know about the other, but the activities are very distinct in what they’re going after."

However, some researchers believe that line is more blurry than that. Another research outfit, iSight, reports that for the past year it too has been following the movements of the group FIreEye calls APT28. According to iSight researchers, the movement of this group "extends beyond government," says John Hultquist, head of cyber espionage intelligence for iSight. The attackers are not just looking for information about military or diplomacy matters, Hultquist says.

"These operators have been tasked with answering questions on energy, on dual use technology, even on sanctions. These are all important questions to the government of Russia, but many of the answers are found in the private sector," he says. "Right now the country's economic base has been jeopardized by falling oil prices. We’d anticipate at the very least they are taking efforts to understand."

McWhorter agrees that, though the report focused primarily on government and military targets in order to nail down attribution, he does believe the group will go as broad as it needs to in order to further Russian government espionage goals. This means enterprises of many types need to be on their toes.

"I think the takeaway from that is if you have any kind of information that the Russian government would be interested in, APT28 doesn’t seem to be shy about targeting you, and we have evidence of that in the report," he says. "When Russia has an interest, you can bet that APT28 also has an interest in what you’re doing." 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.