Friday, October 31, 2014


Research links massive cyber spying ring to Russia

Foregoing crime, the group targets European, US governments in 7-year spree.


A professional espionage group has targeted a variety of Eastern European governments and security organizations with attacks aimed at stealing political and state secrets, security firm FireEye stated in a report released on Tuesday.
The group, dubbed APT28 by the company, has targeted high-level officials in Eastern European countries such as Georgia, and security organizations such as the North Atlantic Treaty Organization (NATO). While Russian and Ukrainian cybercriminal groups are known to conduct massive campaigns aimed at stealing money and financial information, APT28 focuses solely on political information and state secrets, according to FireEye.
The report argues that the group is closely tied to Russia and likely part of Moscow’s intelligence apparatus.
“This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain,” FireEye stated in the report. “Nor have we observed the group steal and profit from financial account information.”
While linking specific actions on the Internet to people in the real world is difficult, FireEye used the report to make the case that a variety of espionage operations can be laid on the collective keyboards of APT28 and that the group is tightly linked to Russia.
This is not the first time the company has taken aim at nation-state cyber espionage. In 2013, Mandiant, now a subsidiary of FireEye, released a report on a Chinese group, APT1, which the company argued was part of the People's Liberation Army and which Mandiant researchers tied to attacks on more than 100 companies. The report has shaped much of the debate over online espionage between countries.
Attributing APT28’s efforts to Russia seems straightforward. More than half of the language setting in the compiled executable are Russian. Also, 96 percent of the malware samples analyzed by FireEye were compiled between Monday and Friday, from 8 am to 6 pm in the GMT+4 time zone, which matches Moscow. Such regularity suggests that the programmers were working during the regular work week in Moscow, the report argues.
The group behind the tools used by APT28 has frequently updated the software and focused on making the resulting binaries difficult for defenders to reverse engineer, according to the report. The technical components include a downloader, dubbed “SOURFACE” by FireEye, a program to give hackers remote access (“EVILTOSS”), and a group of modules to enhance functionality of the espionage software (“CHOPSTICK”). The modular nature of the program, similar to other espionage threats such as Flame and Duqu, allowing attackers to pick and choose the final functionality of any particular attack, as well as tailor the eventual malware to the target's environment.
The code’s sophistication and complexity suggests a professional development group, the company said.
“The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts,” the report stated.
For the most part, the analysis focuses on the group’s interests and how those interests are closely tied with the Russian government.

No comments:

Post a Comment