Espionage Hacks Tied to Russians

Hackers Targeted U.S. Government, Defense Contractors, NATO
Espionage Hacks Tied to Russians

Information security experts say espionage-focused attackers, apparently operating from Russia, have been using phishing e-mails and malware in multi-stage attacks designed to evade detection and steal political and military secrets.

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

Multiple information security researchers say the attackers have relied on malware that's been labeled Sednit, Sofacy, Sourface and Coreshell. Targets have included U.S. government contractors, NATO, European security organizations and governments, as well as the U.S. State Department, they say.

Threat-intelligence firm FireEye says it's been tracking advanced persistent threat attacks from the group - which it calls APT28 - since 2007, and that the attacks have often focused on amassing "intelligence on defense and geopolitical issues" that would only be useful to a government. "While we don't have pictures of a building, personas to reveal, or a government agency to name, what we do have is evidence of long-standing, focused operations that indicate a government sponsor - specifically, a government based in Moscow," FireEye says.

Political, Military Targets

FireEye's analysis comes the same week that anti-virus vendor Trend Micro released a related report on the group's recent attacks, which it's dubbed "Operation Pawn Storm."

To date, Trend Micro says, the group's phishing attacks have targeted a number of well-known organizations, including the private military contractor ACADEMI - formerly known as "Blackwater" - as well as government IT contractor Science Applications International Corp. and the Organization for Security and Cooperation in Europe, which bills itself as being the world's largest security-oriented intergovernmental organization.

While the group is targeting military and state secrets, some of its attacks are decidedly low-tech. "While very crafty, the basic root of the attack stems from clever social engineering to gain an initial foothold, or to gain user credentials," Sagie Dulce, a security researcher at enterprise security vendor Imperva, tells Information Security Media Group.

Researchers at threat-intelligence firm iSight Partners say they've been tracking the activities of the group, which it calls "Tsar Team," and note that it's a different intrusion team to the Sandworm group that recently exploited a zero-day vulnerability in Microsoft Office. Earlier, this month, meanwhile, endpoint security firm ESET warned that the attackers had begun using legitimate sites to infect targets' PCs. "We recently came across cases of legitimate financial websites being redirected to a custom exploit kit," ESET says in an Oct. 8 blog post, noting that the compromised financial websites were based in Poland. "Based on our research and on some information provided by the Google Security Team, we were able to establish that it is used by the Sednit group. This is a new strategy for this group, which has relied mostly on spear-phishing emails up until now."

"The targeted attacks have evolved during the course of the year from spear-phishing with booby-trapped Microsoft Word documents to watering-hole attacks that use exploit kits to target unpatched versions of Internet Explorer," says information security expert Graham Cluley in a blog post.

Evidence Points To Russia

FireEye has attributed the attacks to individuals operating from Russia, and notes that attackers' goals differ from those of some other nation-state attackers. "This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain. Nor have we observed the group steal and profit from financial account information," FireEye says.

The security firm adds that all of the malware it has traced to the group has been created using Russian-language compiler settings, while 89 percent of its malware was compiled during business hours - 8 a.m. to 6 p.m. - that correspond with the time zone for Moscow and St. Petersburg.

Of course, the choice of language and code-compile times could be a red herring. "If I was [with] a Chinese espionage group, wouldn't it be prudent to pretend it came from Russian intelligence?" says Rik Ferguson, vice president of security research for Trend Micro. But based on the information and victims the attackers are targeting, "without a doubt" they do have a Russian connection, he says.

Multi-Stage Attacks

Trend Micro warns that one recent attack being used by the Sednit group targets users of Microsoft Outlook Web Access, or OWA. The attack begins by hackers infecting legitimate sites with malware. As an example, Trend Micro says the attackers compromised Poland's Power Exchange website in September, adding a malicious iFrame to redirect users to an exploit kit that delivered the Sednit malware, although the malware would only execute when specified conditions were met - including specified languages, time zones and types of installed software.

Meanwhile, the group has also been using phishing attacks to lure targets to websites with real-looking - but spoofed - domain names. Those sites run non-malicious JavaScript in the user's browser, which tricks them into believing that their OWA session has expired, and directs them to a fake page to log in again. "The victims' credentials thus ended up in the attackers' hands," Trend Micro says, noting that the attack worked against all major browsers, including Chrome, Firefox, Internet Explorer and Safari.

Corporate e-mails weren't the ultimate target. Rather, attackers were seeking a beachhead for launching further reconnaissance and attacks. "No vulnerabilities need to be exploited for the JavaScript to work," Trend Micro says. "Because many companies allow employees to use webmail services to access their mailboxes while on business travel or at home, these attacks are likely to succeed. Once they do, attackers can gain access to compromised mailboxes that they can then use to gain a foothold in target networks."

The use of multi-stage attacks is also significant, and reportedly effective, Trend Micro says. "We believe the threat actors aimed to confuse their targets' IT administrators by making it hard for them to string attack components together, thus evading detection."

Tools: Sourface, Eviltoss, Chopstick

Many security firms use the general Sofacy or Sednit name to refer to different types of malware that have been tied to the APT28 group. To add more precision to the discussion, however, FireEye says it's labeling the Sofacy group's downloader "Sourface." If a target was successfully infected with Sourface, the malware phoned home to a command-and-control server, via hard-coded IP addresses, then downloaded the next stage of the attack. More recently, however, Sourface has been supplanted by "Coreshell," which contacts C&C servers using domain names.

Either downloader can then retrieve multiple attack modules from the C&C server, including "Eviltoss," which installs a backdoor on the infected system - to give attackers easier access - and "Chopstick," which is designed to collect data, including keystroke logs, PGP files, and Microsoft Office documents. The malware can then exfiltrate this data via HTTP, by using mail servers, or by copying it to local networks or removable USB devices, for example to defeat air-gapped networks.

Broader Implications

The reports from FireEye, Trend Micro and ESET should serve as a warning to any organizations operating in the government or defense sectors. But the attacks could be easily repurposed for any espionage or criminal operations. "The OWA phishing attacks seemed effective and so could be particularly dangerous to any organization that allows employees to use OWA," Trend Micro says.

The same goes for employees who use webmail to handle sensitive information. Ferguson says the company's researchers also saw attackers targeting Google, Hushmail, Yahoo and Yandex webmail accounts used by government and defense contractors to send work-related e-mails. Attackers would log into the accounts from either a U.S. or Latvia IP address and then use IMAP to download all messages.

APT28 also relies, in large part, on exploiting systems that are running outdated software. "Even if you aren't involved in defense contract work, and don't work with government agencies, your company might still be a potential target for attack," Cluley says. "Make sure that your computer systems are strongly defended, and patched promptly."

The group also relies on phishing e-mails, which use social engineering to fool employees into parting with corporate credentials. "Please train your staff to be suspicious of e-mails that arrive out of the blue, even if they initially appear to contain information that they might be interested in, and to always be very careful about what files they open, what links they click on, and where they choose to enter their username and password," Cluley says.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network