A new round of details released yesterday on the nearly decade-long activity by the group of hackers responsible for the Sofacy malware family has researchers from FireEye definitively pointing their fingers at the Russian government as the sponsor of the group.
Following up on the Operation Pawn Storm report from TrendMicro last week, FireEye provided greater historical context and details about the modus operandi of the actors in question, who make up a hacking collective they call APT28. Tracing activity back seven years through attacks found to be based on modularly designed malware, FireEye says it has solidified what's only been a dotted line connection between the Russian government and the Sofacy malware family -- also known as SEDNIT -- which consists of a dropper FireEye calls Sourface, along with the Eviltoss backdoor malware, and a modular implant called Chopstick.
"This Russian government-backed type of espionage has been very mysterious and hard to nail down over all these years on the Internet," says Dan McWhorter, lead researcher for the report and vice president of threat intelligence for FireEye. "In my opinion after looking at our research, it confirms that yes, in fact, the Russian government is doing this, and it gives us a body of evidence to put against that assertion that wasn’t there previously."
The evidence laid out by FireEye includes several important clues. As TrendLabs and other researchers have already publicly shown, FireEye research similarly found that APT28 has targeted European security-related organizations such as NATO, OSCE, and defense events and exhibitions. Additionally, FireEye pointed to attacks against Eastern European governments and militaries of particular interest to the Russian government, such as Poland's and Hungary's.
In particular, though, this latest report includes evidence of what McWhorter calls "almost a fascination of the Caucasus countries, Georgia in particular," in its targeted attacks utilizing Sourface. This tracks with the security community's hunch since the first sparks of the Georgia-South Ossetia conflict back in 2008 that cyber mercenaries have been carrying out Russian government bidding to move forward the country's interests in the region.
In addition to the intel about APT28's targets, this most recent report also showed further evidence that bolsters the claim that the Russian government is behind these attacks. First, all of the code created for these constantly updated malware variants is developed by coders who speak Russian as a first language and is compiled almost exclusively during business hours in the Moscow and St. Petersburg time zones. And more tellingly, the malicious software developed by the group is perpetuated through "flexible and lasting platforms" that have been evolved since 2007.
"The targeting was consistent, the growth of the malware was consistent, the dedication to the mission over seven years remained consistent," McWhorter says. "So we got this development that went on steadily for seven years that required a whole development team in modular malware and that obviously took some level of funding. People weren’t doing it for fun off to the side."
According to Tom Kellermann, chief cybersecurity officer for Trend Micro, while the "FireEye report is pretty good," he was disappointed that it didn't include further information about the prevalent attack techniques used by the group, namely the use of targeted phishing attacks against Outlook Web Access (OWA) users using typo squatted domains of defense exhibitions.
"We also investigated advanced phishing of Google, Yahoo, Live, Hushmail, and Yandex free mail, by the same group. This is not targeted at free mail users in general but only at very specific users -- of defense contractors and even government officials who use Gmail or Yahoo for sensitive stuff," Kellerman says. "We leaked credentials on purpose to the attackers and monitored what happened. We witnessed that the attackers logged in on the compromised accounts and tried to download mail with IMAP connections. They used IP addresses in the US and Latvia for that."
However, McWhorter says that the intent of this report was more about attribution and following the evolution of the malware platform used by APT28 than anything else. In particular, he said, it was interesting to follow the behavioral patterns of a group tied to the Russian government versus a Russian financial crime ring.
"People tend to combine together Eastern European financial crime with the Russian government, but they're very distinct," he says. "One may know about the other, but the activities are very distinct in what they’re going after."
However, some researchers believe that line is more blurry than that. Another research outfit, iSight, reports that for the past year it too has been following the movements of the group FIreEye calls APT28. According to iSight researchers, the movement of this group "extends beyond government," says John Hultquist, head of cyber espionage intelligence for iSight. The attackers are not just looking for information about military or diplomacy matters, Hultquist says.
"These operators have been tasked with answering questions on energy, on dual use technology, even on sanctions. These are all important questions to the government of Russia, but many of the answers are found in the private sector," he says. "Right now the country's economic base has been jeopardized by falling oil prices. We’d anticipate at the very least they are taking efforts to understand."
McWhorter agrees that, though the report focused primarily on government and military targets in order to nail down attribution, he does believe the group will go as broad as it needs to in order to further Russian government espionage goals. This means enterprises of many types need to be on their toes.
"I think the takeaway from that is if you have any kind of information that the Russian government would be interested in, APT28 doesn’t seem to be shy about targeting you, and we have evidence of that in the report," he says. "When Russia has an interest, you can bet that APT28 also has an interest in what you’re doing."