There are plenty of nation states available to support attack groups and right now it appears Russia may be sponsoring one organization that targets foreign governments and security organizations, a research firm said.
“APT28”, a group operating for possibly more than a decade, has attacked governments in Georgia, Eastern Europe, as well as NATO and the Organization for Security and Co-operation in Europe, said researchers at security firm FireEye.
In a report, FireEye said the group tried twice to hack Georgia’s Ministry of Internal Affairs and also attacked its Ministry of Defense and an unnamed affiliated U.S. defense contractor. Other targets included the governments of Hungary and Poland, the World Bank, European Commission, APEC and UN and a journalist who covers the Caucasus.
APT28 became more sophisticated over the years, using custom and continually updated tools to resist reverse-engineering, which shows a high level of skill and financial backing by an established organization, “likely a government”, FireEye researchers said.
Almost all of the tools came together during regular Moscow and St Petersburg work hours between mid-2007 and last month, researchers said.
“Many of APT28’s targets align generally with interests that are typical of any government. However, three themes in APT28’s targeting clearly reflects areas of specific interest to an Eastern European government, most likely the Russian Government,” said the report APT 28: A Window into Russia’s Cyber Espionage Operations?
“These include the Caucasus (especially the Georgian Government), Eastern European governments and militaries and specific security organizations. Given the available data, we assess that APT28’s work is sponsored by the Russian government,” the report said.
The hacking group created fake websites targeting those interested in NATO and several defense events in Europe including this year’s Farnborough Airshow, EuroNaval, EUROSATORY and Counter Terror Expo.
“Targeting organizations and professionals involved in these defense events would likely provide APT28 with an opportunity to procure intelligence pertaining to new defense technologies,” the report said.
The hacking outfit used a downloader tool FireEye called “Sourface,” a backdoor labeled “EvilToss” and a flexible modular implant called “Chopstick.”
Together, these tools could provide access to the file system and registry; enumerate network resources; create processes; log keystrokes; access stored credentials; execute shellcode, and encrypt exfiltrated data uploaded with an RSA public key.
The tools trafficked data over mail servers and one version of Chopstick could even get around air-gaps by routing messages between local directories, the registry and USB drives.