Application security, Malware, Phishing

Symantec: APT28 and APT29 likely already working on 2018 election

With less than two months to go before the midterm elections, Symantec reports that there is every reason to believe foreign interlopers will again pull out the stops in order to influence voters and sow confusion.

“Given the impact the 2016 attacks had, there is a strong likelihood that these tactics may be used again in a bid to sow discord and confusion among voters,” the Symantec Security Response team said, noting new activity has already been recorded.

This bit of prognostication came in a report targeting the past activities of the well-known Russian groups APT28 and APT29, both of which played roles in attempting to influence and undermine the 2016 U.S. election cycle. Symantec noted the groups don’t attempt to alter election results by directly tampering with voting machines or changing counts, but instead target specific organizations, attempt to find and leak data that will then cause people to vote for or against a specific candidate.

APT28 and APT29 have been linked by the U.S. to the Russian government and both started out as generic cyberespionage gangs looking to steal industrial and government information, Symantec said. In addition, in July Special Counsel Robert Mueller indicted 12 Russian military officers, part of Russia’s GRU military intelligence unit, for hacking into the Democratic National Committee systems in an effort to influence the 2016 presidential election.

APT28, aka Sofacy, Fancy Bear, Swallowtail, Tsar Team, Sednit, became known in January 2007 and was named the malicious actor behind the 2016 attack on the World Anti Doping Agency. To gain access the group uses spearphishing emails, watering holes, infected storage devices, and zero-day vulnerabilities.

Once inside APT28 uses several tools, including Infostealer.Sofacy, OSX.Sofacy, Trojan.Sofacy and Trojan.Modruner to accomplish its task.

APT29, aka Cozy Bear, Fritillary, the Dukes, differs slightly its approach by mainly relying on spearphishing to gain access, while still having the same target list as its sister group.

“During the 2016 U.S. presidential election attacks, APT29 sent spear-phishing emails to over 1,000 targeted individuals, including some U.S. government personnel. These emails contained malicious links which, if clicked, would lead to malware being installed on the target’s computer. This allowed APT29 to compromise a political party’s systems and steal emails from several accounts on the network,” Symantec wrote.

It toolkit includes, Trojan.Cozer, Trojan.Seaduke, Trojan.Dionisduke, Backdoor.Netduke, Trojan.Powerduke and Backdoor.Miniduke.

Both groups are already up to their old tricks.  

In August the research firm Lookout informed the Democratic National Committee of an attempted spearphishing attack against its voter database hosted on Votebuilder. The malicious actor, believed to be APT28, created a fake login page in an attempt to snag credentials that could be used to access the database. However, this was proven to be a false flag as it was actually a test being run that was detected.

Just one week earlier Microsoft shut down six websites also created by APT28 that attempted to target U.S. Senate and conservative think tanks and potentially intended to launch cyberattacks. These were likely watering holes from which the gang could harvest login credentials that could be used for future attacks or spearphishing efforts.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.