A security firm has uncovered planned attacks against several financial institutions and has linked the activity to APT28, a Russian cyberespionage group which looks to have expanded its sights beyond targets at government and military organizations.
Last October, FireEye released a detailed report on APT28, a group believed to have been in operation since at least 2007, which targeted the country of Georgia and the Caucasus, Eastern European governments and militaries and security-related organizations including the North Atlantic Treaty Organization (NATO), along the way. At the time, FireEye revealed that the group used spear phishing and strategic web compromises (SWC) to install backdoors on victims' systems, and, in turn, download other malware capable of monitoring their activities and stealing data.
Now, Root9B, a security firm in Colorado Springs, Colo., has revealed that it, too, has “uncovered plans by the Sofacy group” also known as APT28 – this time a campaign to target several international institutions, including TD Bank, Bank of America, UAE Bank and the United Bank for Africa. In an 11 page report on the activities (PDF), Root9B said that while conducting “routine security analysis” for a client last month, it discovered a targeted spear phishing domain “aimed a financial institution.”
“The server it was found on raised even more questions, because although security experts knew the server as a bad actor, it was generally associated with malware used in nation state attacks,” the report said. The malware also “bore specific signatures that have historically been unique to only one organization, Sofacy [or APT28],” the report, published on Sunday, explained.
One server linked to an intrusion, CARBON2U[dot]com, had previously been linked to the Russian hacking group APT28, for instance.
Attackers “began preparations” for the campaign in June 2014, 11 months ahead of time, the company said, and analysts concluded that they had never seen such a case of a “large-scale attack utilizing numerous zero-day exploits that were so thoroughly mapped in advance.”
Later in the report, researchers said that they were unclear on whether the continued attack vector was the same in this campaign, but that it was “most likely” spear phishing as seen initially. Root9B also published malware SHA1 hashes and command-and-control server information associated with the attacks so that organizations can block malicious activity.
Recent findings on APT28's aims to target the international financial sector precede reports of proposed cybersecurity regulations for banks and insurance companies.
This week, Reuters quoted Benjamin Lawsky, New York State's Superintendent of Financial Services, who spoke at the Reuters Financial Regulation Summit on Monday. Lawsky – who met with the heads of financial institutions last year to discuss cybersecurity following JPMorgan Chase's major breach – said Monday that he aimed to propose the new regulation by year-end, which may require banks “to get warranties from their vendors about what cybersecurity protections they have in place” and to implement a “multi-stepped process for allowing employees, and possibly customers, to log into their systems in order to make sure they are authorized users,” the Reuters article said.
"The one thing we find to be an existential threat right now is whether our financial institutions and systems are adequately protected when it comes to cybersecurity,” Lawsky said at the summit.