APT28 orchestrated attacks against global banking sector, firm finds
Security firm Root9B believes that the hacking group started preparing for the campaign nearly a year ahead of time.
A security firm has uncovered planned attacks against several financial institutions and has linked the activity to APT28, a Russian cyberespionage group which looks to have expanded its sights beyond targets at government and military organizations.
Last October, FireEye released a detailed report on APT28, a group believed to have been in operation since at least 2007, which targeted the country of Georgia and the Caucasus, Eastern European governments and militaries and security-related organizations including the North Atlantic Treaty Organization (NATO), along the way. At the time, FireEye revealed that the group used spear phishing and strategic web compromises (SWC) to install backdoors on victims' systems, and, in turn, download other malware capable of monitoring their activities and stealing data.
Now, Root9B, a security firm in Colorado Springs, Colo., has revealed that it, too, has “uncovered plans by the Sofacy group” also known as APT28 – this time a campaign to target several international institutions, including TD Bank, Bank of America, UAE Bank and the United Bank for Africa. In an 11 page report on the activities (PDF), Root9B said that while conducting “routine security analysis” for a client last month, it discovered a targeted spear phishing domain “aimed a financial institution.”
“The server it was found on raised even more questions, because although security experts knew the server as a bad actor, it was generally associated with malware used in nation state attacks,” the report said. The malware also “bore specific signatures that have historically been unique to only one organization, Sofacy [or APT28],” the report, published on Sunday, explained.
One server linked to an intrusion, CARBON2U[dot]com, had previously been linked to the Russian hacking group APT28, for instance.
Attackers “began preparations” for the campaign in June 2014, 11 months ahead of time, the company said, and analysts concluded that they had never seen such a case of a “large-scale attack utilizing numerous zero-day exploits that were so thoroughly mapped in advance.”