The Russian state-sponsored APT28 group targeted presidential hopeful Hillary Clinton and the Democratic National Committee (DNC) as part of a much broader info-stealing campaign aimed at military, journalists and targets in former Soviet states.
That’s the view of Dell SecureWorks, whose Counter Threat Unit (CTU) has just released a new report on the work of the group, also known as Threat Group-4127, Sofacy, Sednit, Fancy Bear and Pawn Storm.
It claimed with “moderate confidence” the group is operating on behalf of the Russian government, meaning “the information is credibly sourced and plausible but not of sufficient quality or corroborated sufficiently to warrant a higher level of confidence.”
Those at greatest risk of attack from APT28 are inside Russia and the former USSR, although high-profile targets in the US and others in Western Europe have also been hit.
Russia subject matter experts; those portraying Russia in a negative context; government, defense and related supply chain organizations; US politicians; and former military or government personnel are all at risk, Dell’s CTU said.
The researchers linked the attacks against Clinton and the DNC and this wide sweep of other targets via a broad spearphishing campaign dating back to last year aimed at over 1800 Google accounts.
Attacks began with a classic phishing email containing a link to the “accoounts-google . com” domain.
Clicking the link would present victims with a fake Google Account log-in page via which the black hats could harvest their log-ins and access said account.
Dell SecureWorks discovered a Bitly URL linking back to the same spoof Google domain used in the phishing attacks – and found the related Bitly account had been used to create more than 3000 shortened links.
Much of the campaign focused on gathering information from key players in the conflict in eastern Ukraine, such as the Ukrainian prime minister, as well as government and military personnel which may have info of use to Russia and authors and activists who’ve criticized the country.
The group even targeted Syrian rebel leaders in what appears to be an attempt to gain intelligence useful to the Bashar al-Assad regime.
Dell SecureWorks added:
“Of the accounts targeted once, CTU researchers determined that 60% of the recipients clicked the malicious Bitly. Of the accounts that were targeted more than once, 57% of the recipients clicked the malicious link in the repeated attempts. These results likely encourage threat actors to make additional attempts if the initial phishing email is unsuccessful.”
The researchers warned that such spearphishing attacks could not only lead to information theft but also allow determined hackers to penetrate victims’ networks.
It urged organizations to educate users about the risks of spearphishing and shortened links and recommended pasting Bitly URLs, appended with a plus sign, into the address bar of a web browser to reveal the full URL.