Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

06:30 AM
Connect Directly

Cyber Espionage Attacks Attributed To Russian Government

FireEye report meticulously details clues that all point to state-sponsorship of the Sofacy/Sourface malware and tracks its evolution over seven years.

A new round of details released yesterday on the nearly decade-long activity by the group of hackers responsible for the Sofacy malware family has researchers from FireEye definitively pointing their fingers at the Russian government as the sponsor of the group.

Following up on the Operation Pawn Storm report from TrendMicro last week, FireEye provided greater historical context and details about the modus operandi of the actors in question, who make up a hacking collective they call APT28. Tracing activity back seven years through attacks found to be based on modularly designed malware, FireEye says it has solidified what's only been a dotted line connection between the Russian government and the Sofacy malware family -- also known as SEDNIT -- which consists of a dropper FireEye calls Sourface, along with the Eviltoss backdoor malware, and a modular implant called Chopstick.

"This Russian government-backed type of espionage has been very mysterious and hard to nail down over all these years on the Internet," says Dan McWhorter, lead researcher for the report and vice president of threat intelligence for FireEye. "In my opinion after looking at our research, it confirms that yes, in fact, the Russian government is doing this, and it gives us a body of evidence to put against that assertion that wasn’t there previously."

The evidence laid out by FireEye includes several important clues. As TrendLabs and other researchers have already publicly shown, FireEye research similarly found that APT28 has targeted European security-related organizations such as NATO, OSCE, and defense events and exhibitions. Additionally, FireEye pointed to attacks against Eastern European governments and militaries of particular interest to the Russian government, such as Poland's and Hungary's.  

In particular, though, this latest report includes evidence of what McWhorter calls "almost a fascination of the Caucasus countries, Georgia in particular," in its targeted attacks utilizing Sourface. This tracks with the security community's hunch since the first sparks of the Georgia-South Ossetia conflict back in 2008 that cyber mercenaries have been carrying out Russian government bidding to move forward the country's interests in the region.

In addition to the intel about APT28's targets, this most recent report also showed further evidence that bolsters the claim that the Russian government is behind these attacks. First, all of the code created for these constantly updated malware variants is developed by coders who speak Russian as a first language and is compiled almost exclusively during business hours in the Moscow and St. Petersburg time zones. And more tellingly, the malicious software developed by the group is perpetuated through "flexible and lasting platforms" that have been evolved since 2007.

"The targeting was consistent, the growth of the malware was consistent, the dedication to the mission over seven years remained consistent," McWhorter says. "So we got this development that went on steadily for seven years that required a whole development team in modular malware and that obviously took some level of funding. People weren’t doing it for fun off to the side."

According to Tom Kellermann, chief cybersecurity officer for Trend Micro, while the "FireEye report is pretty good," he was disappointed that it didn't include further information about the prevalent attack techniques used by the group, namely the use of targeted phishing attacks against Outlook Web Access (OWA) users using typo squatted domains of defense exhibitions.

"We also investigated advanced phishing of Google, Yahoo, Live, Hushmail, and Yandex free mail, by the same group. This is not targeted at free mail users in general but only at very specific users -- of defense contractors and even government officials who use Gmail or Yahoo for sensitive stuff," Kellerman says. "We leaked credentials on purpose to the attackers and monitored what happened. We witnessed that the attackers logged in on the compromised accounts and tried to download mail with IMAP connections. They used IP addresses in the US and Latvia for that."

However, McWhorter says that the intent of this report was more about attribution and following the evolution of the malware platform used by APT28 than anything else. In particular, he said, it was interesting to follow the behavioral patterns of a group tied to the Russian government versus a Russian financial crime ring.

"People tend to combine together Eastern European financial crime with the Russian government, but they're very distinct," he says. "One may know about the other, but the activities are very distinct in what they’re going after."

However, some researchers believe that line is more blurry than that. Another research outfit, iSight, reports that for the past year it too has been following the movements of the group FIreEye calls APT28. According to iSight researchers, the movement of this group "extends beyond government," says John Hultquist, head of cyber espionage intelligence for iSight. The attackers are not just looking for information about military or diplomacy matters, Hultquist says.

"These operators have been tasked with answering questions on energy, on dual use technology, even on sanctions. These are all important questions to the government of Russia, but many of the answers are found in the private sector," he says. "Right now the country's economic base has been jeopardized by falling oil prices. We’d anticipate at the very least they are taking efforts to understand."

McWhorter agrees that, though the report focused primarily on government and military targets in order to nail down attribution, he does believe the group will go as broad as it needs to in order to further Russian government espionage goals. This means enterprises of many types need to be on their toes.

"I think the takeaway from that is if you have any kind of information that the Russian government would be interested in, APT28 doesn’t seem to be shy about targeting you, and we have evidence of that in the report," he says. "When Russia has an interest, you can bet that APT28 also has an interest in what you’re doing." 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.2.0, BinaryHeap is not panic-safe. The binary heap is left in an inconsistent state when the comparison of generic elements inside sift_up or sift_down_range panics. This bug leads to a drop of zeroed memory as an arbitrary type, which can result in a memory ...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, String::retain() function has a panic safety problem. It allows creation of a non-UTF-8 Rust string when the provided closure panics. This bug could result in a memory safety violation when other string APIs assume that UTF-8 encoding is used on the sam...
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.49.0, VecDeque::make_contiguous has a bug that pops the same element more than once under certain condition. This bug could result in a use-after-free or double free.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.50.0, read_to_end() does not validate the return value from Read in an unsafe context. This bug could lead to a buffer overflow.
PUBLISHED: 2021-04-11
In the standard library in Rust before 1.52.0, the Zip implementation has a panic safety issue. It calls __iterator_get_unchecked() more than once for the same index when the underlying iterator panics (in certain conditions). This bug could lead to a memory safety violation due to an unmet safety r...