FireEye Unmasks Kremlin-Sponsored Cyber-Gang APT28

FireEye has released a new report detailing the activities of APT28: a cyber-espionage group it believes has been operating since 2007 on a Kremlin-backed mission to steal sensitive data for the Russian government.

The security vendor has based its conclusions about attribution on a variety of factors.

First, the group’s malware tools and techniques have been “systematically updated” since 2007.

It explained:

“APT28 is most likely supported by a group of developers creating tools intended for long-term use and versatility, who make an effort to obfuscate their activity. This suggests that APT28 receives direct ongoing financial and other resources from a well-established organization, most likely a nation state government.”

The malware is fairly sophisticated: designed to hamper reverse engineering efforts and featuring multiple data theft techniques including backdoors using HTTP and victim mail servers, and local copying to defeat closed networks, the firm said.

APT28’s targets also betray Moscow’s geopolitical interests, particularly: the Georgian government; a journalist writing on Caucasus’ issues; the Chechnya-related Kavkaz Center; Eastern European governments; and NATO.

Finally, malware settings indicate that the group’s developers have done most of their work over the past six years in a Russian language build environment and during Russian business hours.

For the record, APT28’s most commonly used tools are the SOURFACE downloader, second stage backdoor EVILTOSS – which does reconnaissance, monitoring and credential theft – and a modular family of implants dubbed CHOPSTICK.

Infection is usually achieved via a spear phishing email with a relevant lure and the malware hidden in the attachment.

The activities of the group contrast many of the Chinese AT groups uncovered over recent years, as the report explains:

“This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain. Nor have we observed the group steal and profit from financial account information. The activity that we profile in this paper appears to be the work of a skilled team of developers and operators collecting intelligence on defense and geopolitical issues – intelligence that would only be useful to a government.”

Russia and China are, of course, not the only nations equipped with the capabilities to launch APTs – FireEye is tracking 28 such groups linked to state-sponsorship, according to the vendor’s EMEA CTO Greg Day.

“Espionage between nations existed long before cyber,” he told Infosecurity by email.

“But as cyber becomes increasingly intertwined into government and society, we are seeing and will continue to see espionage move into cyber-space, with more nations building out capabilities to spy upon each other as well as the commercial supply chain they leverage.”

China is unlikely to be the only nation state backing hackers to steal data for financial gain, however.

Day said he had little doubt that others are “leveraging the intelligence they are either proactively gathering or inadvertently have access to through their espionage activities.”

What’s Hot on Infosecurity Magazine?