A previously unreported Fancy Bear campaign indicates APT28 has persisted for well over a year and indicates that the notorious group has broadened its focus. Hackers from Russia’s GRU military intelligence agency, Units 26165 and 74455, aka Fancy Bear/APT28, have deep interests and experience in decryption, hacking, and dissemination of stolen information. These two units have carried out many of the most aggressive acts of hacking in history that have included destructive worms, blackouts, and closest to home for the US is a broad hacking and-leaking operation designed to influence the outcome of the 2016 US presidential election. Other notable targets include French Presidential hacking, the 2017 Olympic Anti-Doping Agencies hacking, and many others.
It is important for the US (and all western nations) to be ready for new attacks regarding VPNFilter botnet with the upcoming 2020 Presidential election cycle. Now it appears the GRU has been hitting US networks again, this in a series of previously unreported intrusions that targeted organizations ranging from government agencies to critical infrastructure.
According to the US Federal Bureau of Investigation (FBI), attacks beginning in 2017 and up to May 2020, the GRU hacker group known as APT28 or Fancy Bear carried out a broad hacking campaign against US targets. The FBI says the GRU hackers primarily attempted to break into victims’ mail servers, Microsoft Office 365, email accounts, and VPN servers. The targets included "a wide range of US-based organizations, state and federal government agencies, and educational institutions," Technical breadcrumbs included in that notice reveal that APT28 hackers have targeted the US energy sector, apparently as part of the same effort.
The revelation of a potentially ongoing US-targeted GRU hacking spree is especially troubling in light of the GRU's past operations, which have often gone beyond mere espionage to include embarrassing email leaks or even disruptive cyberattacks. APT28 hackers have been the subject of US indictments alleging hack-and-leak operations targeting both the 2016 US election and the Worldwide Anti-Doping Agency (WADA). The latter attack was in apparent retaliation for the International Olympic Committee banning Russia from the 2018 Olympics for performance-enhancing drug use.
"Although not all motives are clear, we can make judgments based on the nature of the target as seen through past indictments," said an FBI spokesperson. The FBI also indicated that the GRU hacking campaign has likely continued into recent months. "An Advanced Persistent Threat is just that," the spokesperson added, referring to the APT acronym from which APT28 takes its name. "There is an expectation of continued activity."
According to the FBI's victim notification system, APT28 hackers have gained access to networks via spear-phishing emails sent to both personal and work email accounts. They have also used password-spraying attacks, in which hackers try common passwords across many accounts, as well as brute force attacks that guess a long list of passwords against one or a small number of accounts.
Within days of the FBI's notification being sent to victims in early May 2020, the US National Security Agency (NSA) issued a public advisory that Sandworm, a separate but closely linked GRU hacker group, was exploiting a vulnerability in Exim mail servers to target victims. The FBI stated it knew of no connection between that Exim exploitation and the APT28 campaign.
One staff member at an affected organization reported that the IT staff had seen no sign of a successful phishing attack but found that the hackers had accessed their email server. "Once they were on the server they stole entire mailboxes," says the staffer, who did not reveal either their identity or the organization. The organization was eventually notified by the FBI that they had in fact been breached by APT28. "The natural worry is, am I the next John Podesta?" the staffer says, referring to the Hillary Clinton campaign director whose emails were stolen and leaked by APT28 ahead of the 2016 election. "Reading the victim notification and realizing how many different organizations were probably targeted, it just underscores that exactly what we worried about in 2016 is something that Russia is literally still doing as we speak."
The FBI declined to comment on how many victims the APT28 campaign may have targeted, or how many of those attempts were successful. But the security firm FireEye says it has learned of a "handful" of victim organizations that were compromised by hackers, were using the same IP addresses listed as used by APT28. In those cases, the hackers appear not to have infected systems with malware, instead was using stolen credentials to move around the corporate network, just as employees would.
While neither FireEye nor the FBI would reveal the identities of APT28's victims. At least one of the group's targets appears to have been in the US energy sector company. A Department of Energy advisory issued in January 2020 warned that on Christmas Eve of 2019, someone probed the login pages of a "US energy entity" from an IP address that had previously been used by APT28. That same IP address was also listed by the FBI among those used by APT28's hackers through May 2020, confirming that APT28 was very likely behind the energy sector incident. Energy sector intrusions would represent a shift in targeting for APT28.
While these new attacks may be a new use for APT28, the GRU does have a history of hacking critical infrastructure. The GRU hacker group Sandworm planted malware on the networks of US electric utilities in 2014, then carried out the first-ever cyberattack-induced blackouts in Ukraine in 2015 and 2016. A suggestion that APT28 may now be testing US energy industry targets.
A new GRU hacking campaign targeting US organizations in 2020 also raises the possibility of another round of election interference, given the GRU's notorious campaign of electoral interference in 2016. US intelligence officials have been warning since early this year that Russia has sought to interfere in US electoral politics again to help re-elect President Trump. But the FBI said they saw no signs that this particular string of intrusions by APT28 was related to the upcoming presidential election. The new campaign shows that the GRU's general interest in US targets has not ended, even as their endgame remains unclear.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.
Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or firstname.lastname@example.org
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Report Date: 07292020