Russian hacking group APT28 and their actives over the past 3 years. Author Alan Kerrigan

Fancy Bear, also known as Sofacy or APT28, is the nation-state adversary hacking group operating since 2008. The group has been posing threats to many local and global organizations. Their primary targets are defence, aerospace, government, energy sector, media, and news, as well as private companies. The group uses a cross-platform implant to attack organizations across the world.

The group usually attacks mobile devices and conventional computers using credentials and phishing messages. The group has made substantial efforts to run a wide variety of hacking operations for the last 3 years. One of their objectives is to launch sophisticated hacking operations against the political organizations of the United States — said Dmitri Alperovitch, chief technology officer (CrowdStrike).

Russian hacking group APT28 dedicates considerable time to further enhance their main implant, which is known as XAgent. They are likewise keenly developing other propriety hacking tools — for instance, DownRange, Foozer, WinIDS, and x-Tunnel. XAgent is the main plant, which has been used to intrude multiple operating systems for a wide range of mobile devices and conventional computer systems.

Recently, the group made an unprecedented move in the hacking field — i.e. registering domain names, which resemble the domain names of legitimate companies and/or organizations. This has been proven beneficial for them because they have targeted those companies and organizations by establishing phishing sites to harvest the users’ credentials through web-based email services.

APT28 targets Government and Military Organizations

Recent reports have shown that the group has returned to covert intelligence operations in South America and Europe. The group gained popularity back in the year 2016 due to its involvement in the US Presidential Elections. APT28 continued its operations in the following years. It is important to know that the FBI and DHS have declared this group as a global threat to cybersecurity — and there is good evidence of their connections to the Russian government.

In 2016, the group sent spear-phishing emails to the members of different political parties. They also targeted the members of the “Democratic National Committee,” which is the governing body of the US Democratic Party. The emails were designed in such a way that the recipients would get trapped and forced to change their passwords on a fake webmail domain.

The Russian hacking groups further worked to steal credentials in order to gain access to the network of DNC. Once they got the access, they successfully implanted malware, which moved across the DNC network and stole data. Later, they leaked the information online. The group also attacked the World Anti-Doping Agency “WADA” in 2016. The malware penetrated in the system gathered confidential information on drug testing. Again, the information was leaked online.

All the information was made available on the website called “Fancy Bear.” The purpose was to gain a significant amount of attention — and they did it successfully — further said Dmitri Alperovitch. So much so, the group continued to mount operations during 2017 and 2019 (to date).

In 2018, the group went on performing covert intelligence-gathering operations in Europe and South America. The targets included global organizations, European governments, military targets in Europe, and government organizations in South American countries.

The group also has acquaintances with Earworm, another attack group active since 2016 and involved in intelligence-collection operations against military targets in Eastern Asia, Central Asia, and Europe. In addition, APT28 group is an ongoing threat to US intelligence agencies.

New Activities from Russian Hacking Group — ATP28

Cybersecurity agencies in the United States and Europe have observed links between ATP28 and Earworm as both are continuously using spear-phishing email techniques to compromise its governmental and military targets in North America and Europe. Both use Backdoor.Zekapab and Trojan.Zekapab malware tools to compromise cybersecurity systems and steal confidential information.

The group also uses Trojan.Sofacy for the purpose of performing advanced reconnaissance on the cybersecurity systems of sophisticated organizations. Having said that, the DHS reports show that this has significantly affected and/or infected the computer systems as they further download malware. Moreover, APT28 has been using the backdoor.SofacyX malware program to steal information from infected computer systems.

The undercover activities on NATO member states have increased since December 2018. Experts have noticed the aligned activities of the group against US security organizations. They are now using zero-day exploits and custom malware tools to attack private companies in the US and Europe.

According to Benjamin Read, a cyber-security expert at FireEye, a Californian-based digital security agency — Russian hacking group APT28 is trying to get access to networks for collecting data, which will enable the Russian government to make informed political decisions. He further said that the group can use the data for leaking purpose — which may considerably damage candidates or political parties in the coming elections.

Furthermore, Tom Burt — Corporate Vice President at Microsoft said that the company has found the group attacking the European democratic institutions in March-April 2019. These attacks are not limited to the democratic institutions but are also targeting think tanks, private companies, and non-profit organizations working on different niches like public policies, electoral integrity, and democracy — Burt added.

Microsoft detected various attacks in late 2018 and early 2019 from the Russian hacking group APT28 — as they targeted 104 accounts belonging to high-tier employees at different organizations located in Serbia, Romania, Poland, Germany, France, and Belgium. Microsoft said that the attacks were done by APT28.

Again, it is important to note that these attacks were also performed via spear-phishing email campaigns, which is now the go-to attack weapon of the group. In order to stop the attacks in future — Burt said that Microsoft is expanding its “Account Guard” service in different European countries — France, Sweden, Germany, Netherland, Finland, Denmark, Spain, and East European states.

Conclusion

Government organizations, military & security agencies, as well as big market players are the primary targets for APT28 hacking group. The group has been engineering sophisticated malware tools to penetrate deeply in the cyber-defence system of these organizations.

Governments across the world need to incorporate advanced cybersecurity policies and they must collaborate with companies that develop anti-malware tools and applications. Stopping APT28 is a challenging task for EU — the League of Nations require advanced solutions to protect their national and continental integrity against the malicious Russian group.

Kind Regards

Alan Kerrigan