Threat Management, Threat Intelligence, Malware

APT28 turns away from election hacking and back to cyberespionage


APT28 has shifted its primary operation away from election interference and is instead actively conducting cyberespionage campaigns against government and military organizations in Europe and South America.

Symantec noted this shift in activity in a new report which showed APT28, aka Fancy Bear, was not deterred from conducting illicit activity even after being named as the group behind an attempt to influence the 2016 election cycle. Instead, starting in 2017 and continuing into this year, APT28 has initiated intelligence gathering cyber operations against a well-known international organization, military and government targets in Europe, a South American government and an embassy belonging to an Eastern European country.

APT28 is using several hacking tools to accomplish its missions. This includes APT28 Sofacy as its primary go-to weapon. Sofacty has two main components. Trojan.Sofacy, also known as Seduploader, that performs basic reconnaissance on a targeted computer and can download further malware and Backdoor.SofacyX (also known as X-Agent) which is a second stage info-stealing malware. And to cover all its bases APT28 also uses the Mac version OSX.Sofacy.

The group is also using the Lojax rootkit that exploits the Unified Extensible Firmware Interface which can give an attacker the ability to persist for long periods inside a system, according to a recent ESET report.

Symantec also noted some connections between APT28 and other cyberespionage groups

“Another attack group, Earworm (aka Zebrocy), has been active since at least May 2016 and is involved in what appears to be intelligence gathering operations against military targets in Europe, Central Asia, and Eastern Asia. The group uses spear-phishing emails to compromise its targets and infect them with malware,” the report said.

The connection between the two groups was made when some overlap was noted with their command and control infrastructures, however, Earworm has been spotted separate attacks so Symantec identifies and tracks it as a separate group.

This movement away from overt election interference and back to going quiet to conduct cyberespionage campaigns, Symantec concluded, means APT28 will remain an on-going threat to nation states.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.