This article is more than 1 year old

EvilToss and Sourface hacker crew 'likely' backed by Kremlin – FireEye

US intel firm reports on 'APT28'

Russia is "likely" sponsoring a hacking outfit that targets foreign governments and security organisations, the US intelligence firm FireEye claims.

"APT28", a group operating for possibly more than a decade, has attacked governments in Georgia, Eastern Europe, as well as NATO and the Organisation for Security and Co-operation in Europe, the company says.

In a report, FireEye alleges the group tried twice to hack Georgia's Ministry of Internal Affairs and also attacked its Ministry of Defence and an unnamed affiliated US defence contractor. Other targets included the governments of Hungary and Poland, the World Bank, European Commission, APEC and UN and a journalist who covers the Caucasus.

APT28 has become more sophisticated over the years, using custom and continually updated tools to resist reverse-engineering – this indicates a high level of skill and financial backing by an established organisation, "likely a government", according to FireEye.

Targeted by APT 28

Targeted by APT 28

Almost all of the tools were developed during regular Moscow and St Petersburg work hours between mid-2007 and last month, the securobods point out.

"Many of APT28's targets align generally with interests that are typical of any government. However, three themes in APT28's targeting clearly reflects areas of specific interest to an Eastern European government, most likely the Russian Government," the report APT 28: A Window into Russia’s Cyber Espionage Operations? (PDF) said.

"These include the Caucasus (especially the Georgian Government), Eastern European governments and militaries and specific security organisations.

"Given the available data, we assess that APT28's work is sponsored by the Russian government."

The hacking group created fake websites targeting those interested in NATO and several defence events in Europe including this year's Farnborough Airshow, EuroNaval, EUROSATORY and Counter Terror Expo.

"Targeting organisations and professionals involved in these defense events would likely provide APT28 with an opportunity to procure intelligence pertaining to new defense technologies," the report said.

The hacking outfit used a downloader tool that FireEye dubbed "Sourface", a backdoor labelled "EvilToss" and a flexible modular implant called "Chopstick".

Together, these tools could provide access to the file system and registry; enumerate network resources; create processes; log keystrokes; access stored credentials; execute shellcode, and encrypt exfiltrated data uploaded with an RSA public key.

The tools trafficked data over mail servers and one version of Chopstick could even get around air-gaps by routing messages between local directories, the registry and USB drives.

In January 2013, Mandiant an IT security vendor acquired this year by FireEye for $1bn, exposed a sophisticated hacking group based out of and sponsored by Beijing. Ma

FireEye has published Indicators of Compromise allowing organisations to attempt to assess networks for infection. ®

More about


Send us news

Other stories you might like