New report undresses 'Russian speaking' APT 28
APT 28's operators are 'Russian speaking'
A new report has shown the APT28 group to be targeting European government officials and defence personnel. In “APT28 Under the Scope: A Journey into Exfiltrating Intelligence and Government Information”, cyber-security company Bitdefender undresses the activities of the long running APT group, tracing its origins and showing its latest activity against political targets, especially in Ukraine.
The group is known under many other titles including Pawn Storm, Sofacy, Fancy Bear, Sednit and here APT 28. Its operators are widely thought to be tied to the Russian government which may well explain some of their behaviour. Bitdefender's report ties the group, who it refers to under the sobering title of APT28, to attacks on the computer systems of European government officials and defence companies.
Advanced Persistent Threat groups first emerged in popular consciousness in 2010 when the Stuxnet worm was found inside an Iranian nuclear facility.
Under the Scope reveals that APT28 has been collecting intelligence since as early as 2007.
Bitdefender squarely claims that those behind the group are “either Russian citizens or citizens of a neighbouring country that speak Russian” for a couple of reasons, the claims of others notwithstanding. One clue which furthers the case for APT28 is found in hacking tool, parts of which are coded in Russian.
An analysis of the tools used by the group also revealed that the overwhelming majority of the data exfiltrated by the group was done in the working hours of one time zone, the same one which contains Russia, Georgia and Azerbaijan. Of these, “Russia is the only country that possesses the necessary skills and resources” to pull off the kind of attacks that APT28 perform.
The case for Russian origin is only deepened when one thinks about Russia's geopolitical and regional goals. Bitdefender has traced APT28's activity around the world to countries like Spain, Romania, the United States, Canada and importantly, Ukraine. For a four day stretch in February 2015, APT28 scanned 8,536,272 Ukrainian IPs for possible vulnerabilities. That number amounts to nearly every IP in Ukraine.
This just happened to coincide with the peace talks in Minsk that brought together the leaders of Belarus, Russia, Germany, France and Ukraine to discuss a ceasefire in the eastern part of Ukraine, where the conflict is based.
Viorel Cnaja, head of antimalware and antispam labs at Bitdefender, told SCMagazineUK.com that “we saw a mix of targets (Western, Ukrainian, and Russian). Since the investigation is still ongoing we cannot disclose more information or details about the targets. However, government and telecommunication industries were also selected as the object of attack, pointing to an interest spanning across critical industries and select government institutions."
While the group targeted political figures from these countries as well as e-crime groups and telecommunications services, they also targeted the aerospace industry in Germany and Ukraine. The authors note that “all these victims seem related to the aerospace industry or aircraft research programs”.
Further supporting APT28's alleged Russian origin given the concurrent media coverage of the Russian smartplane PAK FA T-50 Fighter, “we presume the APT28 authors might have attempted to explore new technologies being developed in the aerospace industry for integration”.
Attacks on state officials and organisations are common for APT28, such as a 2014 cyber-attack on the German Parliament. Just this summer, the group used a Java zero-day exploit to launch attacks on the White House and NATO, disguised as privacy group The Electronic Frontier Foundation. In spring this year, the group were believed to be behind a supposed attack on a French television network, disguised as a cyber-jihadist group claiming to have ties to IS.