The infamous APT28 group linked to the hacking of Democratic Party officials last year is most likely sponsored by the Russian foreign intelligence agency GRU and will continue to attempt to influence major elections in Europe this year and beyond, according to SecureWorks.
The security vendor claimed in a new report that the group – which it dubs Iron Twilight – switched its activity beyond covert military intelligence gathering to sabotage and attempts to target political entities in 2015.
One of the GRU’s stated aims is to use maskirovka – deception and disinformation techniques designed to “confuse, undermine, and ultimately disrupt an enemy.”
That seems to fit well with APT28’s publication of damaging internal emails from DNC officials, as well as other organizations including anti-doping agency WADA.
The report concluded:
“The threat group’s activity can be characterized by the theft of confidential information and its calculated release to influence global events. Characteristics of IRON TWILIGHT’s activity suggest it is operated by the GRU. The threat group’s departure from purely military and regional affairs to broader political and strategic operations, evidenced by its US political operations, suggests the Kremlin views IRON TWILIGHT’s role as supporting Russian ‘active measures.’ These active measures correspond to the Soviet doctrine of manipulating popular opinion to align with Russian strategic interests, enabling other Russian threat groups to carry out traditional covert intelligence gathering operations.”
However, while a link with the GRU is likely, there is still no direct evidence and the Kremlin remains able to plausibly deny any such activity.
Going forward, the group is likely to attack any entity seen as hostile to Russian interests. This means the French and German election will be hit by “similar operations” to that which influenced the outcome of the race for the White House, and could mean TV broadcasters are in its cross hairs, following the notorious attack on TV5 Monde in 2015.
However, its spearphishing tactics are far from sophisticated, and SecureWorks had the following advice:
“By applying best practice security controls such as regular vulnerability scanning and patching, network monitoring, and user education, organizations can reduce their susceptibility to compromise. IRON TWILIGHT quickly operationalizes disclosed vulnerabilities in web browsers and associated plugins, so timely implementation of patches is important for protecting systems. Based on the threat group’s exploitation of webmail, CTU researchers recommend that organizations implement two-factor authentication (2FA) on internal or third-party webmail platforms used in their environments. Organizations should also encourage employees use 2FA on their personal accounts and restrict work-related communication from personal email.”