A Russian state-backed hacking group dubbed ‘APT28’ has for the last decade systematically targeted NATO and a raft of East European and Caucasus governments with espionage malware, research by security firm FireEye has confirmed.
At the beginning of anxiety over Adavanced Persistent Threats (APTs), around 2012, FireEye told us about APT1 (or PLA61398), the Chinese Army unit tasked with finding a way into US organisations, mainly to steal for intellectual property and business secrets. Now as 2015 dawns, the firm’s analysis suggests that that Russia’s activity probably stretches back even further to the middle of the last decade when the superpowers started developing cyberwar in earnest.
FireEye connects APT28 to a slow drip of detected attacks since 2007, including ones targeting Georgia, Poland, Hungary, Turkey, the Baltics, as well as the Organization for Security and Co-operation in Europe (OSCE) and firm favourite, NATO. It controllers even sent malware to journalists writing about the Caucuses, FireEye found.
The deployment used was typical of Chinese APTs and involved sending spear-phishing emails primed to drop an exploit for a vulnerability the target is unlikely to have patched. A range of malware was deployed, all specially written to achieve its aim of silently infiltrating computers and networks.
As with the firm’s analysis of Chinese cybergroups, the evidence of Russian involvement is based on inference, a mixture of looking at executable compile times (which line up with 0400 to 1400 UTC , office hours in Russia), clues within some of the malware such as Russian language settings and the types of targets malware was directed at.
There are only a limited number of agencies that could resource such highly-targeted campaigns over periods of years, which further narrows down the list of suspects.
Superpowers such as the US, China and (as it would like to be seen) Russia have the money to throw at programmers and sophistication but they are just as easy to spot it turns out as any criminal group. Nobody can hide themselves completely.
Described as “phantoms” by FireEye, the idea that Russia is involved in advanced cyberattacks is no longer the dramatic news it would once have been – the country has been connected to several campaigns in the last two years targeting a variety of industry sectors, especially energy.
What remains less well documented – the FireEye research offers very little on this front – is a sense of how successful these attacks have been.
Again, assessing this is all about inference. APT28 has been around for a long time, which suggests its controllers have sent it back for more and more data.
“Despite rumours of the Russian Government’s alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage,” said FireEye threat intelligence vice president, Dan McWhorter.
“FireEye’s latest advance persistent threat report sheds light on cyber espionage operations that we assess to be most likely sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks.”
If it is well established, it is any longer that important? Possibly not. Russia clearly started its cyber campaigns as a spying operation, the sort of Internet surveillance many states are involved in. Recent evidence suggests it might now have moved on to more aggressive cyberwar, such as attacks designed to disrupt and inconvenience its enemies.
A good example would be the major attacks on a range of US financial institutions last summer, originally blamed on Russia. The US has since backtracked on this notion but the suspicion remains that the country is intent on using cyberwar to further its political ends.