An APT group thought to be tied to Russia is flying against conventional wisdom, having as recently as the last three weeks dropped its sixth zero-day in the past four months.
Given the underground value of unpatched and unreported vulnerabilities, this is highly unusual behavior, even for a state-sponsored cyberespionage team.
Nonetheless, APT 28, also known by other nicknames such as Tsar Team, Operation Pawn Storm, and Sednit, has been a busy gang targeting government agencies and military operations with a host of Adobe Flash, Microsoft and Java-based zero-days at their disposal.
This week alone, two zero-days attributed to this team disappeared when they were patched by Microsoft and Oracle in Office and Java respectively. Researchers at iSight Partners reported the Office zero-day to Microsoft on June 30 and it was patched on Tuesday in MS15-070, an Office security bulletin that patched 13 other vulnerabilities in the software. Later that night, Oracle erased a Java zero-day in its quarterly Critical Patch Update that was used against a U.S.-based defense contractor and foreign military outfits. It was the first Java zero day actively exploited in the wild since 2013, experts said.
APT 28 keeps a vast arsenal of malware and domains under its control, according to researchers Brian Bartholomew and Jonathan Leathery of iSight.
“This indicates it’s not a handful of guys; this is an organization managing this stuff,” Bartholomew said, adding that the group has also been known to use cryptocurrency such as Bitcoin to buy domains in order to hide registration information and remain anonymous. “It’s hard to manage that much infrastructure that they own.”
Five of the half-dozen zero days, Bartholomew said, were built in-house by APT 28, while the sixth, CVE-2015-5119, was a repurposed Flash 0day that was put into use 24 hours after it was uncovered after the Hacking Team breach.
“They actually rewrote it, which is interesting. It’s not just a copy of the [Hacking Team] proof of concept with their own shell code added,” Bartholomew said.
The Office zero day, CVE-2015-2424, was likely still under development since iSight researchers said it was still fairly buggy and unreliable. It was likely spread via spear phishing emails, specifically targeting individuals or groups within sensitive organizations. The lure found by iSight was a Word document purporting to be an analysis of the Iran nuclear deal.
“It’s a heap corruption vulnerability in Office where it’s mishandling an object in memory, which allowed for remote code execution from the weaponized document,” Leathery said, adding that the message also included a CNN article on the Iran deal published June 28. The likely targets were the former Soviet republic of Georgia.
The payload is a variant of the Sofacy or Sednit Trojan, which immediately opens a backdoor to a number of attacker-controlled domains where stolen data is sent. Some of the domains, iSight said, are benign or do not belong to the APT group, a false-flag of sorts. The targets are government agencies in Eastern Europe or NATO, along with critical industries such as nuclear, telecommunications, defense industrial base and diplomatic interests.
The group is not only adept at gathering intelligence from foreign interests, but also focuses on internal dissidents and threats to national security in Russia, iSight said. One counter-terrorism operation attributed to this group is the so-called Cyber Caliphate hacktivist operation, where hackers posing as ISIS supporters set up lures via social media or forums trying to attract those sympathetic to the Islamic State. Once some confidence is established with a target via direct messaging, APT 28 would entice them to install an application that was malicious and allowed them to monitor the dissidents’ activities.
Despite the fact that this particular Office—and Java—zero day has been patched, iSight believes APT 28 is well resourced and has more at its disposal.
“This throws a wrench in their plans; usually they can get a few months out of a zero day before a patch is out,” Bartholomew said. “It’s unprecedented using this many zero days, but at the same time, they have access to developers who can build these or have the resources to buy them.”