Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

EvilToss and Sourface hacker crew 'likely' backed by Kremlin – FireEye

US intel firm reports on 'APT28'

Russia is "likely" sponsoring a hacking outfit that targets foreign governments and security organisations, the US intelligence firm FireEye claims.

"APT28", a group operating for possibly more than a decade, has attacked governments in Georgia, Eastern Europe, as well as NATO and the Organisation for Security and Co-operation in Europe, the company says.

In a report, FireEye alleges the group tried twice to hack Georgia's Ministry of Internal Affairs and also attacked its Ministry of Defence and an unnamed affiliated US defence contractor. Other targets included the governments of Hungary and Poland, the World Bank, European Commission, APEC and UN and a journalist who covers the Caucasus.

APT28 has become more sophisticated over the years, using custom and continually updated tools to resist reverse-engineering – this indicates a high level of skill and financial backing by an established organisation, "likely a government", according to FireEye.

Targeted by APT 28

Targeted by APT 28

Almost all of the tools were developed during regular Moscow and St Petersburg work hours between mid-2007 and last month, the securobods point out.

"Many of APT28's targets align generally with interests that are typical of any government. However, three themes in APT28's targeting clearly reflects areas of specific interest to an Eastern European government, most likely the Russian Government," the report APT 28: A Window into Russia’s Cyber Espionage Operations? (PDF) said.

"These include the Caucasus (especially the Georgian Government), Eastern European governments and militaries and specific security organisations.

"Given the available data, we assess that APT28's work is sponsored by the Russian government."

The hacking group created fake websites targeting those interested in NATO and several defence events in Europe including this year's Farnborough Airshow, EuroNaval, EUROSATORY and Counter Terror Expo.

"Targeting organisations and professionals involved in these defense events would likely provide APT28 with an opportunity to procure intelligence pertaining to new defense technologies," the report said.

The hacking outfit used a downloader tool that FireEye dubbed "Sourface", a backdoor labelled "EvilToss" and a flexible modular implant called "Chopstick".

Together, these tools could provide access to the file system and registry; enumerate network resources; create processes; log keystrokes; access stored credentials; execute shellcode, and encrypt exfiltrated data uploaded with an RSA public key.

The tools trafficked data over mail servers and one version of Chopstick could even get around air-gaps by routing messages between local directories, the registry and USB drives.

In January 2013, Mandiant an IT security vendor acquired this year by FireEye for $1bn, exposed a sophisticated hacking group based out of and sponsored by Beijing. Ma

FireEye has published Indicators of Compromise allowing organisations to attempt to assess networks for infection. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like