A Russian APT group tied to ongoing attacks against military and political targets in Eastern Europe and against NATO could also have ties to the MiniDuke espionage campaign uncovered more than a year ago.
Dubbed APT28 by FireEye in a report published last night, the Russian hackers have targeted Eastern European governments and military organizations, the government of the country of Georgia, as well as NATO and the Organization for Security and Cooperation in Europe (OSCE). The group, FireEye said, operates as a professional team with indicators of long-term software development planning and operational security tactics in place. They operate during business hours, on Moscow time, and use phishing lures specific to government and military officials of political and strategic value to the Russian government, the report said.
Kaspersky Lab Global Research & Analysis Team expert Aleks Gostev said this same group is also known as Sofacy and may have ties to the MiniDuke campaign. The MiniDuke campaign also was used for political and military espionage but relied on a number of unusual tactics in a shotgun-style approach with 59 victims in 23 countries, most of those in Europe.
Like MiniDuke, APT28 relies on phishing emails to penetrate organizations. The messages are spiked with convincing decoy documents that kick off a string of infections and backdoors where stolen information is ultimately encrypted and sent to a command and control server.
Laura Galante, manager of threat intelligence at FireEye, said they have not been able to determine how successful APT28 has been with these three particular sets of targets.
“That’s part of the open question,” Galante said. “We can see the targets in Eastern Europe by the lures they use and domains they’ve registered, but we don’t have perfect visibility on what they’re doing with the targets they’re able to compromise. If you can get into the email of an Eastern European military attache, what are they doing with the stolen communication? I would wager they’re probably using it to think about their own policy decisions and shape their responses to military and political affairs.”
Galante said the malware and attack tools have been regularly updated and refined since 2007. The development platforms are flexible and built for long-term use, and the coders are skilled not only at building custom malware, but also coding in barriers that complicate reverse engineering and other forensic analysis.
FireEye said in its report that the malware samples include Russian language settings and were compiled in a Russian language build environment starting in 2007—more than 96 percent of the samples were compiled between Monday and Friday and 89 percent between 8 a.m. and 6 p.m. UTC+4 time zone, FireEye said.
Three primary targets all have political or military value to the Russian government. Attacks on one target, the Georgian government, ramped up following the 2008 war with Georgia and that country’s subsequent growing ties to the West. Specifically, attacks against the Georgian Ministry of Internal Affairs and the Ministry of Defense were carried out. Spear phishing attacks tailored to particular people or organizations at each ministry were found, each with a different exploit for a Microsoft Office vulnerability.
“In general, the group relies on older exploits, such as CVE-2012-0158, and it does not appear to be as sophisticated in terms of technical skills as other groups, for instance Turla,” Kaspersky’s Gostev said.
Separate attacks were also discovered against the Eastern European Ministry of Foreign Affairs, the Polish government, NATO, OSCE, defense attaches working in Eastern European countries, and even attendees of European defense exhibitions, each following a similar pattern as other APT28 attacks, FireEye said.
“The malware used in these attacks has some interesting features, but when you’re thinking about how they’re getting on networks, they’re still relying on spear phishing,” Galante said. “They’re still requiring and dependent on a user mistake to get on a network.”
The malware, Galante said, is custom built by the group. Once a victim opens a spear phishing email and executes the malware tucked in the tainted Office attachment, a dropper malware loads the Sofacy downloader which grabs second-stage malware from a command and control server, Galante said. A backdoor is established for anything from shellcode execution, credential theft and system monitoring. Implants are then dropped onto the victim’s machine that include counter reverse-engineering features that disrupt static analysis of the malware. Stolen data is protected with RSA encryption as it moves from the victim to the controller, FireEye said.
Unlike Chinese APT groups that have been unmasked, Galante said Russian groups don’t generally steal intellectual property.
“With the Russian group, the victim set is narrow and the type of operations occurring are distinct from intellectual property and financial data theft that the Chinese groups focus on,” Galante said. “The majority of Chinese groups go after trade secrets to help their state-owned enterprises in China. Sure there is a military and political application to a lot of the information taken by Chinese groups, but the defining feature is secrets from economic sectors.”