A look under the covers of the APT group known as Fancy Bear (aka Sednit, APT28, Pawn Storm or Sofacy) shows that its cyberespionage activities are swelling as it continues to target thousands of high-profile individuals and organizations, including NATO institutions, political leaders and heads of police, and diplomats across the globe.
The gang, believed to be behind the hack on the US Democratic National Committee (DNC), has been engaged in criminal activity since at least 2004 and has developed sophisticated attacks that bypass the typical network security at compromised organizations, ESET researchers noted in a report. Recent targets include embassies in South America, Middle East, Africa and Asia, Ministries of Defense in Europe and Asia, Ukrainian political leaders, Russian political dissidents and members of Russia’s People’s Freedom Party. ESET has uncovered that the group has so far targeted at least 1,888 unique email addresses.
Using phishing attacks and zero-day exploits, the group has gained access to a plethora of confidential information, with most of the attacks occurring on Mondays or Fridays. ESET researchers have found that Fancy Bear also has created legions of custom programs, backdoors, bootkits and rootkits to assist it in its spying.
A common technique used by the Fancy Bear group when targeting an organization is to attempt to steal users’ webmail credentials. Targeted phishing emails, for instance, are sent to targets linking to fake login pages where users are tricked into entering their usernames and passwords.
The emails use social engineering techniques to trick users into thinking that they urgently need to act upon the email, in the hope that targeted victims will click on a link in haste without thinking about the possible consequences of their actions. The mails attaching a malicious file or linking to a website containing a custom exploit kit.
In the case of malicious email attachments, the group has exploited vulnerabilities in Microsoft Word, Microsoft Excel, Adobe Flash and Adobe Reader. In other attacks, fake websites hosting malware have been created, luring readers with the headlines of legitimate news articles, like, “Taking War Seriously: a Russia-NATO Showdown Is No Longer Just Fiction.”
The sophistication level is notable: As ESET’s researchers document, in 2015 alone the group exploited no fewer than six zero-day vulnerabilities in the likes of Windows, Adobe Flash and Java.
This aids in attribution, the researchers said: “A run-of-the-mill criminal gang would be unlikely to make use of quite so many previously unknown, unpatched vulnerabilities because of the significant skill, time and resources required to properly uncover and exploit them. The level of sophistication shown by Sednit underlines the common belief that it is a state-sponsored hacking group.”
As to which state, curiously, the investigation determined the time of day that the attackers appeared to be operating. The distribution of the hours matches the working hours from 9 am to 5 pm in UTC+3 time zone, with some activity in the evening. That matches up with Russia and other Eastern European locales.
High-profile publicized examples of past attacks linked to the group include the DNC, the German Parliament and the French TV network TV5Monde. The recent high-profile data breaches at WADA have also been attributed to Fancy Bear. All of the attacks were tied by investigators to the Kremlin.
Photo © sanpom