Incident Response, TDR

FireEye identifies cyber espionage group possibly tied to Russian government

The country of Georgia and the Caucasus, Eastern European governments and militaries, and various security-related organizations including the North Atlantic Treaty Organization (NATO) have been the targets of a cyber espionage group – referred to as APT28 – that is believed to Russian, according to FireEye.

Analyzed malware samples feature a consistent use of the Russian language, according to a FireEye report released Tuesday, which adds that more than 96 percent of malware samples were compiled between Monday and Friday and more than 89 percent were compiled between 8AM and 6PM in the time zone paralleling working hours in Moscow and St. Petersburg. 

APT28 is believed to have been operating since at least 2007, and its targeting, malware, language, and working hours has led FireEye to believe that the group is sponsored by the Russian government, Dan McWhorter, VP of threat intelligence with FireEye, told in a Tuesday email correspondence.

“We believe that APT28's efforts seek to collect intelligence to support higher-level decision making, capabilities assessments of regional governments and organizations, and a variety of other espionage-oriented gains,” McWhorter said. “These gains allow for the group's sponsors to gain key insights into the targets' internal /regional policy positions and efforts, partnerships with international and foreign entities, and military/defense postures, among other things.”

Among the targets identified by FireEye are the Georgian Ministry of Internal Affairs, the Georgian Ministry of Defense, journalists covering the Caucasus, the Polish government, the Hungarian government, Ministry of Foreign Affairs in Eastern Europe, NATO, and the Organization for Security and Co-operation in Europe.

APT28 targets with spear phishing and strategic web compromises (SWC), McWhorter said.

“Its spear phishing efforts appear to be highly tailored at times, meaning that the group develops “lure” materials that it thinks would be of most interest to – and attract the least suspicion from – its targets,” McWhorter said, going on to add, “In terms of the SWCs, APT28 appears to be luring its victims to malicious/weaponized websites, which would appear to the victims as innocuous sites given that many of the domains are fake masquerades of legitimate sites.”

The group has a variety of tools at its disposal, McWhorter explained.

SOURFACE is a first stage downloader intended to download a backdoor on the victim environment, and will attempt to retrieve and load the group's second stage tool, EVILTOSS. EVILTOSS is used as a second stage backdoor, allows for command-and-control operations, and identifies key technical aspects of the victim's system, as well as performs local system monitoring, credential harvesting and theft, and shellcode execution. CHOPSTICK is a modular malware family, and the framework enables APT28 to generate implants with various functions, including keystroke logging and full file system access.

“The longer term “maintenance” of APT28 malware is interesting because it speaks to a dedicated development effort behind the scenes,” McWhorter said. “It reflects the group's commitment and evolution of its various tools, and its development of the CHOPSTICK modular platform points to longer-term thinking and planning in regards to creating a flexible exploitation toolset.”

APT28 occasionally uses valid email as command-and-control routes, McWhorter said, explaining that more scrutiny needs to be given to analyzing this traffic.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.