BRUSSELS – FireEye,, the intelligence-led security company, today released new information about cyber attacks believed to be by Russian hacking group APT28 on Montenegro at a briefing for journalists.
Earlier this year, FireEye recovered malware samples indicating APT28 targeted the Montenegrin government with cyber attacks. Lure documents used in the spearphishing attacks pertain to a North Atlantic Treaty Organization (NATO) Secretary meeting and another described a visit by a European army unit to Montenegro. The latter document may have been stolen and then weaponized. Yesterday, Montenegro became the newest member of NATO.
"NATO expansion is often viewed as a security threat by the Russian Federation, and Montenegro's bid for membership was strongly contested by Russia and the pro-Russia political parties in Montenegro. It’s likely that this activity is a part of APT28’s continued focus on targeting various NATO member states, as well as the organization itself," explained Tony Cole, Vice President and Chief Technology Officer for Global Government at FireEye.
"Russia has strongly opposed Montenegro's NATO accession process and is likely to continue using cyber capabilities to undermine Montenegro's smooth integration into the alliance. Montenegro's accession could increase cyber threat activity directed toward NATO, and provide additional avenues for adversaries like Russia to illicitly access NATO information," added Cole.
FireEye attributes this activity to Russian hacking group APT28 for several reasons. One is that the Flash exploit framework and GAMEFISH malware are believed to be used exclusively by APT28. Also, the group has previously targeted NATO member states and the attacks also used infrastructure that’s believed to be used by APT28.
FireEye believes it’s unlikely Russia will abandon its interests in Montenegro now that its NATO membership has been confirmed. NATO member states and nations interested in joining the organization are likely to face an elevated risk of similar activity.
In February 2017 after Montenegrin Prime Minister Dusko Markovic denounced foreign opposition to his country’s NATO accession, Montenegro government organizations, and media outlets were targeted with intermittent distributed denial-of-service attacks. These attacks rendered the affected websites temporarily inaccessible. FireEye does not have a high degree of confidence in the attribution of these attacks. They may or may not be related to the Prime Minister’s comments.